Wednesday 26 November 2008

EU Agency presents a new study on how to counter information security risks with a change in the financial sector staff awareness.

Loss caused by theft of customer information and costs of security incidents response is rising according to a new ENISA report. Security breaches in financial organisations can cause heavy financial losses. Employee information security awareness is the way forward, the EU Agency's white paper claims.

Safeguarding personal and financial data is key for the financial services industry. According to the 2008 report of the UK Financial Services Authority financial services firms could significantly reconsider their approaches to data security. Both the costs for less by theft of customer information and the cost of responding to security incidents are rising. Security breaches in financial organisations damages both reputation and causes heavy financial losses, difficult to recover from.

Employees are now considered the single most likely cause of security incidents, confirmed in many international surveys (2007 Global State of Security, the 2008 BERR survey, et al). BERR reports that 47% of large businesses suffer from staff misuse of information systems. Technical solutions are no longer the solution nowadays. The cost for training staff constitutes an important financial commitment for any organisation.

The report is an assessment of the environment of financial organisations and their main business drivers. It presents the landscape of international standards, legislation and certification objectives together with major risks, threats and end-users behaviour. Moreover, the paper covers the different phases of implementation of awareness raising programme in financial organisations and assessment of results. It is imperative that all roles are clearly defined and match them to the corresponding security topics, as identified in tables in the report. Finally, the paper contains practical advice, a set of 20 recommendations and 7 case studies provided by a number of financial organisations around Europe. The ENISA Virtual Working Group on “How to organise awareness raising programmes in financial organisations” contributed to this paper.

The Executive Director of ENISA, Mr. Andrea Pirotti comments on the report:
“The poor state of data security is a serious issue for the financial markets. This is not the time not to invest in security and training for staff, as the costs and consequences thereof may be business critical.”

To view the complete report please visit: http://www.enisa.europa.eu/doc/pdf/deliverables/is_awareness_financial_organisations.pdf

Tuesday 25 November 2008

Bloggers take German national library to task

From: FT November 25 2008

For someone writing under the name Robert Basic, it seemed too good to be true.
“My parents are never going to believe I’m going to be catalogued by the German national library,” the blogger wrote about the library’s plans to collect things German on the web to add to its century-old collection of the nation’s books.

But such expressions of delight were drowned out by outraged disbelief as websites reported that the Nationalbibliothek, based in Frankfurt and Leipzig, could force every private website owner and amateur blogger to submit material – and fine the noncompliant up to €10,000 ($13,000, £8,500).

Blogs have since been alive with jokes about German thoroughness, and calls to resist.
“Every home page owner should shunt them a pdf [file] with a copy of their website in highest quality, preferably all on the same day,” one blogger wrote on heise.de, a popular site among techies. “Then [the library’s] server would burst.”

Another blogger, writing under the pseudonym “night watchman”, published a screed on his homepage. The hassle of submitting pages and the threat of fines would kill the German-speaking internet as a forum of free speech, he thundered. His site was a “personal archive” that was of no value to a public institution.

The internet is often praised for its “viral” qualities, which set it apart from the methods of traditional mass media. But in this case, word-of-mouth authenticity morphed into unreliable Chinese whispers, as many of the things criticised about the library’s plans turned out to be incorrect.

The library had indeed received a government mandate in 2006 to collect web publications and to fine the unco-operative – as a last resort.

On October 22, Berlin released more details: the library should choose what it collected – based on its as-yet modest capacity and what it deemed to be of public interest. But the webbies’ frenzy had touched on an important and unresolved issue.

Faced with the deluge of online information and limited budgets for gathering and archiving, what could and should a public archive preserve for the nation – and when should easily tapped home pages be considered private rather than public?

With the internet already in its second decade and host to reams of material for which paper was too expensive or too cumbersome, it is startling to realise that the German national library and its worldwide peers are only just beginning to grapple with the problems of systematically archiving the web.

While the US Library of Congress started looking at “web capture” in 2000, and founded an international group to do the same in 2003, its internet archive remains selective. It boasts 17 thematic collections – but its archive about web coverage of September 11 2001, say, gives no idea how news sites’ top story developed that day.

The Germans started making plans in earnest two years ago to save web publications for posterity. Ute Schwens, director of the Nationalbibliothek in Frankfurt, said the collection was still a work in progress, one that was taking shape in consultation with national libraries in France, the Netherlands, the UK and North America.

“At the moment, we’re only collecting e-books and online dissertations but we’re going to be moving into the areas of blogs and websites fairly soon,” she said. “It’s got to be information other people might need but nothing purely commercial” – basically eliminating a huge crop of online shopping and corporate websites.

“We’re talking to [newspaper and magazine] publishers about their sites,” Ms Schwens said, “And we’re interested in blogs by people in public life – but not in every site of every private individual.” The limiting factors were technical: What file types to accept? How often should a library archive an ever-changing website?

Currently targeting e-books and dissertations, much of the collecting in Frankfurt is still done by hand. The 20,000 publishers and academic institutions registered with the library are obliged to submit web material to the library’s server, run by an outside provider, or leave files on their own systems for the library to pick up.

Soon a lot of collecting will be done by machine. Material from news sites, for example, can already be secured automatically using a technique called “harvesting”. The question for each library will be how often to instruct its computers to do this: Ms Schwens said there were 12m active German websites, although not all would deserve a look.

The library has already collected 40,000 e-books, 60,000 online dissertations and 1,200 e-journals, still a modest number compared with a physical archive that counts 24.5m items.
“But in the next few years, we’re going to collect millions of files,” she said – perhaps even the web encyclopaedia Wikipedia. Now that should make all webbies happy.

Indeed, the German blogosphere seems to be coming round to the idea. Admitting it was caught off guard by the deluge of misinformed protest, the Nationalbibliothek now gives comprehensive information about its plans – on its website, of course. One newly enthused webbie recently said on heise.de: “Let’s stop digital amnesia!”

Source: http://www.ft.com/cms/s/0/fb9fb642-ba81-11dd-aecd-0000779fd18c.html

Thursday 20 November 2008

ARMA's 3rd Brussels Roundtable brings together top policy makers, stakeholders and RIM professionals

On 7 November 2008, ARMA International organised its 3rd Roundtable on Information Governance and Records Management in Brussels. The event was attended by more than 80 representatives from the European Union Institutions, stakeholder organisations, and the private sector. The event was also attended by a large number or records and information management professionals, information security professionals and archivists from all over Europe and beyond, working in many different sectors.

Douglas Allen, President-Elect of ARMA International, opened the roundtable by addressing the need for good records management in view of the financial crisis which was in large part due to lack of transparency. He mentioned recent security breaches in Europe to underline that information have become corporate assets of critical importance and growing risk areas and that sound records management should be the responsibility of all individuals within an organisation.

Towards a European Freedom of Information Act
Mr. Marc Maes from the Secretariat-General of the European Commission gave first a short presentation of the history of the right of access to documents. He provided an overview of the current version of the Regulation 1049/2001 regarding the beneficiaries, scope and limits of the right of access to documents.

He also presented the situation of third party documents that should be transmitted after the consultation of the author unless it is clear that the document should be transmitted. He stressed that the institutions who received a request should decide on the basis of the exceptions to this right and other institutions are consulted under a memorandum of understanding.

Mr Maes gave an overview of the proposal to review the Regulation 1049/2001 that was published on 30 April 2008 on which ARMA replied to a consultation following the publication of a Green Paper and drafted a position paper. He pointed out in particular the main features of the definition of the term document and presented the main limitations to the scope of the Regulation. Finally, he mentioned the latest case laws on access to documents.

Mr. Fergal O’Regan, Head of Legal Unit at the European Ombudsman’s office addressed the main concerns of this organisation regarding the review of the Regulation 1049/2001.

He pointed out that the wording used in the definition of the term document is the main concern of the Ombudsman. He wondered if the term “formally transmitted” means documents transmitted within or outside the institutions or if this definition should be understood as including informal transmission. In its position paper on the review of the Regulation 1049/2001 ARMA International expressed that this definition should be revised to be more in line with document and records definitions included in international recognized standards in information management such as ISO 15489.

Mr. Hielke Hijmans from the European Data Protection Supervisor (EDPS) office explained the role of the EDPS in case law related to access to documents. He stressed that the fundamental right of access to documents sometimes clashes with the fundamental right to privacy. He pointed out that the review of the Regulation 1049/2001 does not find the right balance between access to documents and privacy as its provisions does not ensure that disclosure can only be denied if the privacy or the integrity of a person would be undermined.

The Markets in Financial Instruments Directive (MiFID)
Mr. Salvatore Gnoni from the Directorate-General Internal Market and Services of the European Commission gave a wide overview of MiFID. He also discussed the MiFID provisions regarding transparency, transactions reporting and record keeping.

As regards transparency requirements, he explained that the market transparency regime concerns pre- and post-trade information and covers shares admitted on a regulated market while the transaction reporting regime covers all securities and derivative contracts admitted on a regulated market.

He stressed that investment firms should report details of their transactions to their national authorities and that these authorities should share information among themselves.

Investment firms should keep records of their transactions for a general period of 5 years in order to keep them at the disposal of the competent authorities. He quoted a recommendation from the CESR (Committee of European Securities Regulators) which provides a list of minimum records and explained that Member States can keep records of telephone conversation or electronic communications which can be used in order to show that investment firms comply with record keeping requirements.

Mr. Jitz Desai, Director of JWG-IT, pointed out the difficulties of firms to comply with MiFID requirements regarding record keeping as these new obligations are among the EU implementation priorities. Consequently, a short period of time is at the disposal of firms to comply with the Directive.

He stressed that firms need to know exactly their data in order to prove that they comply with this Directive. But some requirements such as proving best execution will make compliance difficult. It will be also difficult for firms to assess the costs to gather the relevant information.

e-Health Interoperability
Ms. Linda Mauperon, member of the Cabinet of European Commissioner Viviane Reding, insisted first on the benefits of eHealth for healthcare services and for citizens, and on the importance of the eHealth market compared to others health markets.

She stressed that the lack of interoperability is the most important obstacle to the development of eHealth. However, she pointed out that a growing will exists among Member States and stakeholders to solve this problem. The Commission is also committed to improve interoperability of eHealth services as it published a Recommendation containing guidelines and principles to provide interoperability in a cross-border context in July 2008. She quoted other initiatives such as the epSOS project whose goal is to reach a situation where doctors have access to information on a patient without taking into account the country in which they were created. She also stressed that industry is committed to interoperability and that all these initiatives will contribute to make interoperability a reality

Ms. Angelika Haendel from AHIMA explained on the fact that eHealth is a growing sector but interoperability is a prerequisite to its development. She stressed that interoperability is a necessity because trends such as international travel or multinational companies make boundaries less relevant.

Mrs Haendel pointed out that eHealth will become an important area as it represents 5% of the EU GDP and because the EU provides more funds to eHealth projects. However, there are several challenges eHealth projects have to challenge: the intervention of several Member States in an area of national competence, the fragmentation of health organisations in Europe and the growth of electronic data. She presented several eHealth projects such as the integrated care project or the Siemens Soarian Integrated Care.

The Internet of the Future
Dr. Florent Frederix, Head of Sector Networked Enterprise & Radio Frequency Identification unit at the European Commission, presented past and future actions of the Commission on RFID. Regarding future actions, the Commission will adopt a Recommendation on RFID in Autumn 2008 and will publish a staff working paper and a Communication on the Internet of Things in winter 2008/2009.

He stressed that a secure and privacy friendly use of RFID is one of the objective of the Recommendation. He pointed out that RFID chips can become more intelligent and will be able not only to identify things but also to collect information.

The main challenges of the consultation on RFID that close on 28 November 2008 were also put forward: security, privacy and data protection, control of critical global resources, governance of resources, standard settings and interoperability and social and human impact.

The different applications of RFID were promoted in areas such as health, transport, environment monitoring and disaster management.

During this session it appeared that RFID will entail important challenges for records management regarding privacy or security for instance as through this technology an important amount of information will be created and will have to be managed in compliance with EU requirements. However, the way record managers will have to manage these data did not appear clearly.

Mr; Laurent Beslay, Technology Adviser at the European Data Protection supervisor (EDPS) office, stressed the role of the EDPS and data protection principles applicable to RFID and explained that the EDPS office analyses the impact of new technologies on these principles.

He pointed out that privacy challenges are related to RFID as this technology will concern not only the industry but also citizens. If citizens store their data at home they will benefit from a legal protection as home is considered as a legal sanctuary but data are now spread everywhere. He also mentioned the trend of cloud computing where end users store their data on a server outside their hope but do not know where these data are stored exactly. He wondered if end users will benefit from a legal protection if there data are stored by a company.

He stressed that to implement successfully RFID applications security and data protection considerations should be introduced as soon as possible in the creation of new applications. Moreover, best techniques, i.e. the way a technology is implemented, should be used and the way security breaches will be managed should be taken into account.

Wednesday 29 October 2008

Workshop on the Data Retention Directive


Job posting

The BBC is looking for an Advisor, Information Policy & Compliance

Click here for more information: http://jobs.bbc.co.uk/fe/tpl_bbc01.asp?newms=jj&id=25171&aid=15571

Tuesday 28 October 2008

Updated Agenda ARMA EU Roundtable

The latest agenda of ARMA's 3rd EU Roundtable on Information Govezrnance and Records Management which will take place in Brussels on 7 November is available here: http://www.arma.org/brusselsroundtable/. To register your participation, please click here: https://www.agsreg.com/arma_international/registration.php?e=1679091c5a880faf6fb5e6087eb1b2dc

This exclusive event will involve key policy makers from the European Union institutions as well as relevant stakeholders and will include presentations by noted experts in the Information Management field, with open dialogue by participants. Issues which will be addressed include:
· Transparency: The review of the Regulation 1049/2001 on access to documents - Access to third party documents and information
· The Markets in Financial Instruments Directive (MiFID): Records Management Compliance for multinationals
· E-Health Interoperability - Challenges for records and information management
· The Internet of the Future - The internet of "things" and privacy considerations

ENISA workshop on "Improving the resilience of public eCommunications networks", 12-13 November, Brussels

THe EU Network and Information Security Agency (ENISA) is organising a workshop on “Improving Resilience in European e-Communication Networks - Putting the pieces together”. the egenda is now available at http://www.enisa.europa.eu/sta/workshop2008.
The workshop will be held at Brussels on 12-13 November, 2008, and is organised in the
context of ENISA’s Multi-annual Thematic Program (MTP) http://www.enisa.europa.eu/doc/pdf/management_board/decisions/enisa_wp_desig_ver_2008.pdf with the overall aim to evaluate and improve the resilience of public eCommunications networks in Europe.

Friday 17 October 2008

Legal blow to opponents of data retention bill

The European Court of Justice advocate general on Tuesday (14 October) delivered a blow to member states hoping to overturn an EU law on harmonising telephone and internet data retention rules, saying the case is an internal market matter, not a justice and home affairs issue.
The directive - which was approved by a qualified majority of EU states in February 2006 - sets a time period of six months to two years during which telecom operators are to keep phone and internet data, in the name of fighting terrorism and crime and increasing security.

Irish telecoms operators and internet service providers currently face tougher rules and must keep the data for up to three years, according to the Irish Times. Consequently, Ireland, backed in its position by Slovakia, wanted the rules to be subject to justice and home affairs provisions, rather than to internal market ones.

In the realm of justice and home affairs, a unanimity of member states is needed for directives to be approved, whereas a qualified majority of EU countries is sufficient to pass an internal market one.

But EU advocate general Yves Bot on Tuesday "invite[d] the court to dismiss the action, taking the view that the directive was correctly based on the EC Treaty," a court press release reads.
Mr Bot estimates that the bill "does not contain any provisions liable to come within the notion of 'police and judicial co-operation in criminal matters'," and is primarily an internal market issue.
"As regards Ireland's argument that the sole or main purpose of the directive is the investigation, detection and prosecution of serious crime, the advocate general … considers that the mere fact that the directive refers to such an objective is not sufficient for a finding that it is an act falling within the area covered by police and judicial co-operation in criminal matters," according to the court's press release.

The advocate general's opinion is not binding on the court, but is however adhered to by the ECJ in around 80 percent of all cases. A date for the ECJ's ruling has not been set at this stage.

From www.EUobserver.com

Wednesday 15 October 2008

Job posting

Geneva School of Business Administration

Le département Information documentaire cherche: Un-e professeur-e HES en archivistique et en records management ou Un-e chargé-e d'enseignement HES en archivistique et en records management

Taux d'activité: 100%

Mission

  • Enseignement dans le domaine de l’archivistique et du records management,selon expérience, et ce, dans les formations de base Bachelor voire Masteret les formations continues (MAS-DAS-CAS) ;
  • Responsabilité du volet archivistique et records management de la formation ;• Direction et encadrement de travaux d'étudiants (projets et travaux de find'études) ;
  • Tâches de gestion et d'organisation liées au domaine d'enseignement et derecherche ;

Pour le poste de professeur-e HES :

  • Conduite de projets de recherche appliquée et de prestations de service pour les milieux professionnels et les entreprises

Profil

  • Diplôme d'une haute école en information documentaire (volet archivistiqueou RM) ou titre jugé équivalent, complété par un 2e cycle, 3e cycle souhaité
  • Expérience professionnelle de plusieurs années
  • Expérience d’enseignement dans le domaine de la formation supérieure
  • Capacité d'intégration dans un environnement en pleine mutation
  • Motivation à travailler en équipe et à porter une ambition commune
  • Facilité de rédaction en français. Si possible, connaissance de l'allemandet/ou de l'anglais

Pour le poste de professeur-e HES :

  • Expérience avérée dans la conduite de projets de recherche appliquée et demandats, si possible au niveau international

Délai de candidature
14 novembre 2008

Entrée en fonction
1er février 2009 (à discuter)

La HEG examine les candidatures dans une perspective de parité. Les dossiers de candidature complets sont à adresser à :Mme Magali Dubosson Torbay, directrice – Haute école de gestion de GenèveCampus Battelle – bât. F. – 7, rte de Drize – CH-1227 CarougeRenseignements : Yolande Estermann Wiskott, responsable du département Information documentaire+41 22 388 17 53 yolande.estermann@hesge.ch

Friday 10 October 2008

Reding: EU to govern Internet of the future

The European Commission will roll out a range of initiatives in the coming months to promote the Internet of the Future, while remaining highly vigilant in protecting citizens and networks, Information Society Commissioner Viviane Reding told EurActiv in an interview.

The EU executive identified the following key topics to be addressed by 2009 in to prepare Europe to the new generation of the Internet: the early challenges of the Internet of Things, rolling out Next Generation Access Networks, opening radio spectrum to wireless services, broadband for all, security of critical communication infrastructure, privacy concerns related to the massive deployment of Radio Frequency Identification (RFID) tags and Internet governance.

Speaking at the Internet of Things conference organised by the French EU Presidency in Nice on 6-7 October, Commissioner Reding outlined told EurActiv what she expected would be the main challenges ahead.

First of all, Brussels wants to pave the way for possibly the biggest revolution that the Web has ever seen: the emergence of an Internet of Things, whereby objects have a virtual identity and communicate between each other to provide services of every kind, from healthcare to transport security.

At the end of September, the Commission opened a public debate on the main issues related to the Internet of Things, publishing a position document . In November, a recommendation is expected on the privacy and security risks linked to the deployment of RFID tags, the technology at the core of the Internet of Things. Commissioner Reding wants to maintain a fair balance between the promotion of RFID and the new societal risks posed by society (EurActiv 06/10/08).

In early 2009, the EU executive is due to publish definitve guidelines for the roll-out of Next Generation Access Networks, the key infrastructure for a future Internet based on data-hungry services (EurActiv 19/09/08). A review of radio spectrum is also ongoing, so as to exploit the so-called 'digital dividend' which will result from the switch from analogue to digital TV by 2012. The target is to increase the provision of wireless and mobile Internet services and, as a result, broadband penetration in Europe.

Protection of critical online infrastructure, such as networks or key servers, is also high on the Commission's agenda. To avoid cyber-attacks such as that which hit Estonian public Internet services in 2007, the EU executive will propose concrete action at EU level in a document to be published in 2009 (EurActiv 09/04/08).

The global governance of the Internet and its next developments is also considered crucial by Brussels, with Reding explicitly aiming to challenge US control of many key elements of the Net.
To read the full text of the interview, please click here.

Links
European Union
European Commission: Communication on future actions of the Commission on Internet issues (29 September 2008)
European Commission: Working document on the early challenges regarding the Internet of Things (29 September 2008)
European Commission: Draft recommendation on NGANs (18 September 2008)
EU French Presidency: Conference on the Internet of Things, the Internet of the future (6-7 October 2008) [FR]

From euractiv.com

Thursday 9 October 2008

Public comment period for eHEALTH Standardization

CEN, CENELEC, and ETSI, the three European Standards Organizations (ESOs) announce the launch of a public comment period for the final draft report of the joint project ‘eHEALTH-INTEROP’, which will address the requirements of the European Commission mandate on standardization in the field of e-health. This mandate (M/403) aims to provide a consistent set of standards to address the needs of this rapidly evolving field. The report includes the result of an inventory of existing standards from the many different organizations in the sector, including international formal bodies and industry standards consortia. An analysis of sector needs and recommendations for specific standards development has subsequently been carried out, and a first draft of a work program has been included that reflects the need for coherent, cost-effective, and secure provision of electronic healthcare services.

Currently, public consultation on the draft work programme and final reporting to the European Commission is possible. The draft report is available on the website: www.ehealth-interop.nen.nl
On 7 November, an Open Meeting will be organized in Copenhagen to discuss amendments. The draft agenda is available at www.ehealth-interop.nen.nl/publicaties/2899.

For more information, please contact Ms. Shirin Golyardi, NEN, shirin.golyardi@nen.nl.

EDPS decision on the right of access to and rectification of medical file

On 14 November 2007, an employee of the European Parliament submitted a complaint to the European Data Protection Supervisor (EDPS) claiming that she was denied to exercise her right of access and rectification to her medical file by the Sick Leave Management Unit of the Parliament.

In his legal analysis, the EDPS gave inter alia a non-restrictive interpretation of Article 13 of Regulation (EC) No. 45/2001 (right of access) and held that the complainant did not only have the right of access to her medical file but also the right to obtain a copy or photocopy without any limitation in terms of copies of her own medical data. With regard to the right of rectification of her data, the EDPS stressed that although it is impossible to rectify medical appreciations, the complainant should have the right to keep her medical file up to date by adding other medical opinions. As to the complainant's request to transfer her medical file to the doctor appointed by her, the EDPS considered that the necessity of such transfer was demonstrated by her explicit consent, which also proved that it could not have prejudiced the data subject's legitimate interests.

The EDPS concluded that the Parliament:

  • had not respected the 3 month deadline foreseen in Article 13 of the Regulation according to which the complainant should have been granted access to her medical file;
  • had refused to allow the complainant to make photocopies of her medical file without a legal basis contrary to Article 13;
  • had not granted the complainant the right to rectify her data so that all data in her medical file are complete and kept up to date, in violation of Articles 14 and 4(d); and
  • had refused to transfer the complainant's complete medical file to the doctor appointed by her in infringement of Article 8 (transfer of data).

In the light of the above, the EDPS urged the Parliament to ensure that the complainant's rights are fully respected. The EDPS decision on this complaint was of a particular interest for the Parliament's trade union SFIE which sent an e-mail to the staff of the European Parliament citing the EDPS recommendations.

For more, go to http://www.edps.europa.eu/

Tuesday 7 October 2008

EU privacy advisory body looking at e-discovery

The Article 29 Working Party subgroup dealing with E-discovery met in September to discuss this transborder issue. A draft working paper should be proposed for discussion and possible adoption at the next plenary session of the Article 29 Working Party in December.

The Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data is an independent advisory body on data protection and privacy, set up under Article 29 of the Data Protection Directive 95/46/EC. It is composed of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC. The WP is competent to examine questions covering the application of the national measures adopted under the data protection directives in order to contribute to the uniform application of the directives. It carries out this task by issuing recommendations, opinions and working documents.

http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm

Monday 6 October 2008

EU to pave way for deployment of smart tags

From Euractiv.com

The French EU Presidency will today (6 October) hold a high-level conference dedicated to building the so-called 'Internet of Things'. The meeting comes as the Commission prepares to present measures aimed at overcoming privacy concerns related to the use of the Radio Frequency Identification (RFID) microchips that are expected to lead the technological revolution.

Brussels considers the creation of the 'Internet of Things' as a key priority as it could provide solutions for a wide range of societal problems, such as ageing populations.

In a future world where ubiquitous tags and sensors would be attached to everything from letters to walls or clothes, the Commission believes many things will be possible. "A blind person might see," said one information society expert at the EU executive.

Indeed, according to the 'Internet of Things' vision, objects could communicate among themselves, for instance allowing a blind person to walk down a street knowing exactly what is around him. "This would be done by using a tag reader, able to detect and read the information contained in tags disseminated everywhere," added the expert.

Elderly people could also benefit from household goods that anticipate their needs and requests, such a fridge which orders more eggs from the supermarket once they have run out, or clothes capable of constantly measuring key health indicators, like blood pressure or heartbeat.

However, the use of RFID chips also raises concerns regarding the privacy and security of carried information, as tags could contain personal details potentially exploitable by anyone equipped with a tag reader.

To address these concerns, the Commission will present, in November, a recommendation to member states encouraging them to adopt initial measures to make people more aware of the existence of RFID embedded in objects or rooms, and to avoid misuse of the new technology.
According to the upcoming recommendation, a draft of which has been circulating since April 2008 (EurActiv 26/02/08), all companies interested in using RFID, from airlines to retailers, will have to draw up a 'privacy impact assessment' to verify the potential privacy-related risks of the devices they are using.

What's more, retailers, such as Carrefour or Metro, will be required to de-activate any tags attached to items they sell once the buyer leaves their stores. However, retailers are already resisting such a measure for fear that it will push up their costs and act as a disincentive to the deployment of tags, EurActiv has learnt.

The Commission will also propose two harmonised logos to indicate the presence of RFID in products and tag-filled environments. Awareness-raising campaigns will also be organised and funding is envisaged for projects aimed at developing privacy and security-friendly tag designs.
But the RFID revolution still appears distant, hampered not only by privacy and security concerns but also by a lack of international standards. Technical skills are also lacking, with the software industry pointing out that Europe would be incapable of coping with massive deployment of RFID due to a lack of qualified engineers to deal with tags.

In September, the EU executive launched a public consultation on the "early challenges of the Internet of Things," which is expected to result in the publication of an official document in the second quarter of 2009.

For more, go to http://www.euractiv.com/en/infosociety/eu-pave-way-deployment-smart-tags/article-175998

Saturday 4 October 2008

Deutsche Telekom Says Data From 17 Million Customers Was Stolen

Deutsche Telekom has confirmed that personal information from 17 million of its mobile phone customers was stolen in 2006, including secret telephone numbers of high-profile politicians and celebrities.

Deutsche Telekom said the stolen data includes customer mobile phone numbers, addresses, dates of birth and, in some cases, email addresses. Bank information or credit card numbers were not accessed, said the Bonn-based firm.

There has reportedly been no indication that the data has been misused, though the Telekom said "extreme criminal energy" was behind the theft.

German newsmagazine Spiegel reported on Saturday, Oct. 4, that is had obtained access to the missing information via a third party. The news apparently came as a surprise to Deutsche Telekom, where the case was considered closed.

"We had assumed that this data had been fully secured as part of an investigation by the district attorney," Philipp Humm, director of Deutsche Telekom's mobile phone division T-Mobile, said in a statement. Data security measures had been fortified since 2006, he added.

According to media reports Saturday, Oct. 4, Telekom had contacted the appropriate authorities as soon as the data was stolen in 2006 and an investigation has since been underway.

Telekom said it had conducted research after the theft and discovered that copies of the data had been offered on the black market but had apparently not been bought. Few customers brought complaints pertaining to the data mishap, though a special hotline telephone number was set-up.

The public prosecutor's office in Bonn told reporters that pieces of data had been confiscated from private homes, but that the thieves themselves had not yet been detained.

Celebrity customers, including comedian Hape Kerkeling and television moderator Guenther Jauch, high-ranking politicians, billionaires and clergymen were reportedly among those affected by the data breach.

For some of them, it could represent a threat to their security if their secret personal telephone numbers landed in the hands of criminals.

Saturday's revelation is not Telekom's first brush with data scandals. Earlier this year, the firm admitted that calls between journalists and board members had been illegally monitored in 2005 and 2006.

From http://www.dw-world.de/dw/article/0,2144,3690132,00.html

Friday 3 October 2008

How to prevent on-line manipulation: EU Agency ENISA publishes white paper on ‘Social Engineering’

ENISA, the European Network and Information Security Agency, has launched a white paper on ‘Social Engineering’, (i.e. on-line manipulation, through social networks, email, also known as ‘Nigeria-letters’ or ‘advance-fee frauds’, instant messaging, or Voice Over Internet Protocols (VoIP)). The Agency provides 3 case studies portraying how easy users are manipulated, identifies 5 defence measures and issues a check list, ‘LIST’, for users to counter social engineering. Finally, the Whitepaper includes an exclusive interview with the world famous security author, speaker, and consultant Kevin Mitnick.

What are the risks of on-line manipulation, or “Social Engineering”? Fraudsters frequently manipulate people and exploit human weaknesses through ‘social engineering’. That way, people break their normal security procedures. The scale and sophistication of such fraud is increasing, (27.649/month, Jan.’07-Jan ‘08, according to APWG). Several new ways are used to reach users (e.g. instant messaging, VoIP, and social networking sites apart from emails). Successful social engineering entails:

  • A convincing pretext for contacting the target,
  • Getting the facts right by research,
  • Timing and exploitation of current events, e.g., the Tsunami event, or a Santa Claus mail around Christmas, with a worm included.
  • Exploit human behaviour and psychology.

Three e-mail based case studies portray how easy it is to trick ordinary users:

  • Case 1: 179 respondents assessed 20 messages (11 bogus, and 9 legitimate), and only 42% of the users could correctly classify the mails; (32% were classified incorrectly and 26% as ‘do not know’.)
  • Case 2: Of 152 targeted end-users within an organisation, 23% were tricked into accepting malware infections.
  • Case 3: Over 500 undergraduate students followed embedded links, opened attachments, etc. The rate of failure was 38-50%. The good news is that the failure rate was reduced with training.

The Agency identified 5 defence measures against social engineering. However, the key to success lies in improving users’ awareness. Users should use a checklist of questions to verify the Legitimacy, Importance of the Information, the Source and Timing (LIST) (for full checklist see p 25-26 of the report.) Mr Mitnick underpins the report with the claim that it is much easier to trick someone into revealing their password, rather than making an elaborate hack.

The Executive Director of ENISA, Mr. Andrea Pirotti, comments:
Making staff and users aware of security is of serious concern for Europe. We should all become more aware and ‘responsible on-line EU-citizens’, in our own interest of being able to benefit of the Internet safely

The report has been elaborated with the kind support of the ENISA Awareness Raising Community and is available at: http://enisa.europa.eu/doc/pdf/publications/enisa_whitepaper_social_engineering.pdf

Thursday 2 October 2008

European Digital Library to soon go online

The vision to make available Europe's cultural diversity in books, music, paintings, photographs, and films to all citizens via one single portal could become reality this autumn.

This vision is the driving force behind all efforts for the establishment of the European Digital Library, Europeana, an initiative within the framework of European Commission’s i2010 strategy. This digital library shall serve as single point of access for digital versions of works from cultural institutions all over Europe, including material from museums, libraries and archives abroad, which users will be able to visit without having to travel or turn hundreds of pages to find a piece of information.

According to Viviane Reding, EU Commissioner for Information Society and Media, "The European Digital Library will be a quick and easy way for people to access European books and art – whether in their home country or abroad. It will, for example, enable a Czech student to browse the British library without going to London, or an Irish art lover to get close to the Mona Lisa without queuing at the Louvre."

However, according to the Communication from the Commission of August 2008, further efforts by the EU Member States are needed, on making available digital versions of works from cultural institutions all over Europe. In particular, the vision of a European Digital Library needs substantial investment from national institutions. However, at present most countries only provide small scale, fragmented funding for digitisation. Therefore, The Commission called on Member States to raise digitisation capacities to make their collections available for Europe's citizens, team up with the private sector, and address the following priorities:
  • More funding needs to be allocated to digitisation, along with plans for how much material will be digitised.
  • Most countries still lack methods, technologies and experience for the preservation of digital material, vital so that content remains accessible to future generations.
  • Common standards need to be implemented to make different information sources and databases compatible for and usable by the European Digital Library.

The Commission itself confirmed its commitment to help Member States bring their valuable cultural content online. To this purpose, in 2009-2010 € 69 million from the EU's research programme will go to digitisation activities and the development of digital libraries, while approximately another € 50 million will be allocated by Europe's Competitiveness and Innovation Programme to improve access to Europe's cultural content.

The launch of Europeana is expected to take place in November 2008.

Further information:
Rapid Press release
European Commission’s Communication - Europe’s cultural heritage at the click of a mouse COM(2008) 513
Europeana

From http://www.epractice.eu/document/5068

Wednesday 1 October 2008

ARMA International's 53rd Annual Conference and Expo in Las Vegas October 20-23

Is the management of electronic records and information keeping you awake at night? Have litigation demands driven you to distraction? Do you wish you had solutions to the information management issues facing your organization? There's only one place to go for help...ARMA International's 53rd Annual Conference and Expo in Las Vegas October 20-23. Yes, this world-renown event is where professionals go for real business solutions, best practices, technology tools and innovative ideas. Professionals like yourself who are
  • Records and information management professionals
  • General and inside counsels
  • Legal administrators
  • RIM and IT consultants
  • CIOs and IT managers

Fact is, if you're involved in managing records and information, this is the place to go to become inspired, educated, connected. You'll get to choose from more than 100 sessions. You'll see the latest technology products and services from 200 of the industry's top providers, including CA, Oracle, IBM, Google, Iron Mountain, and so many more. Plus, you'll be able to meet and talk with an estimated 3,000 colleagues from around the world.You won't find a better opportunity anywhere else. Come for the weekend and play. Or better yet, attend one of the Pre-Conference seminars on Saturday, October 18 and Sunday, October 19. Then prepare yourself, because things really start rockin' and rollin' on Monday.

For more, please visit http://www.arma.org/conference/2008/

Swedes and Dutch best EU broadband performers

Sweden and the Netherlands are the best EU performers when it comes to broadband internet, while Bulgaria and Cyprus come last, according to a report by the European Commission.

"Both countries [Sweden and the Netherlands] have a favourable socio-economic context, with a high propensity to use advanced services and a competitive environment that has ensured affordable prices and high speeds," says the commission in its paper on broadband performance in the EU member states.To measure that performance, Brussels is using a so-called Broadband Performance Index (BPI) based on a series of factors, including speed, rural coverage, affordability, innovation, as well as socio-economic dimensions.

Denmark, the UK, France and non-EU member Norway follow Sweden and The Netherlands, while Poland, Romania, Cyprus and Bulgaria come last.

"Their performance is limited in most dimensions by the socio-economic context and by high prices" in some of the countries, reads the paper.

Poor competition, lack of digital skills and limited PC penetration are among the other cited factors.

On average, some 36 percent of EU households currently enjoy high-speed internet access, although the figures vary widely among the member states.

The commission's aim is "to make broadband Internet for all Europeans happen by 2010," EU telecoms commissioner Viviane Reding stated last week.

Brussels also believes Europe could take the lead in the next internet generation - or Web 3.0 - as it is "already well placed to exploit [the] broadband opportunities, thanks to an open and competitive environment for investments."

"Web 3.0 means seamless 'anytime, anywhere' business, entertainment and social networking over fast reliable and secure networks … Europe has the know-how and the network capacity to lead this transformation," Ms Reding said.

"We must make sure that Web 3.0 is made and used in Europe," she added.
The commission launched a public consultation on Monday (29 September) on its strategy "to respond to the next wave of the Information Revolution" and on the private sector's possible responses to the developing situation.

From: http://euobserver.com/9/26831

Monday 29 September 2008

Germany and UK want global financial regulator

The UK and Germany believe that a new international system regulating the financial sector must be constructed to prevent a repeat of global banking crisis in the future.

Peter Steinbrueck, Germany's Social-Democrat finance minister, raised on Sunday (21 September) the idea of "an international authority that will make the traffic rules for financial markets," while speaking to German radio, Reuters reports.

Meanwhile, UK Prime Minister Gordon Brown is to outline proposals for just such a body, run under the authority of the International Monetary fund, in a speech to the Labour Party conference on Monday, as well as domestic plans to crack down on "irresponsible" bonuses handed out in the City, London's financial quarter.

"I think what people haven't appreciated is we've now got global financial systems but we've only got national regulators to cover them," Mr Brown told the BBC ahead of the speech, adding that he had been trying to convince his international counterparts for years of the need for "a global system of financial regulation."

His finance minister, Alistair Darling, according to the country's Guardian newspaper, is also set to tell his fellow Labour Party members: "Just as one government alone cannot combat global terrorism, just as one government alone cannot combat climate change, so one government alone cannot deal with the consequences of globalisation."

Continue reading here: http://euobserver.com/9/26784?print=1

Workshop"International Transfers of Personal Data", Brussels

The European Commission organises on 21 October 2008 in Brussels a Workshop on International Transfers of Personal Data jointly with the Article 29 Data Protection Working Party - the independent EU Advisory Body on Data Protection and Privacy - and the United States Department of Commerce's International Trade Administration.

This Workshop is a follow up of the previous Conferences held in Brussels in October 2006 and in Washington in October 2007 organised by the European Commission, the Working Party and the US Department of Commerce.

More information on the programme. (PDF File 69 KB)
For further information, please contact: JLS-DP-CONFERENCE@ec.europa.eu.

Friday 26 September 2008

How do you sell security to the CEO?

How do you open the CEO’s eyes for security? EU Agency report launched on how to get support and funding for security initiatives from corporate executives. How do you get the CEO to open the wallet?

The EU Agency ENISA (The European Network and Information Security Agency) launches a report on how to convince the CEO to support and invest in security initiatives. The Agency issues 9 recommendations on how to overcome obstacles, identifies 7 hands-on advice to get a buy-in in a senior management meeting, and gives 5 cases studies to identify key problems, issues and solutions in the report ‘Obtaining support and funding from senior management’ for awareness raising initiatives.

The cost of lost data due to human errors is almost 30% according to Pepperdine University, (where 40% is attributed to hardware failure, and software corruption/viruses amounts to only 19%). So how do you get your CEO to understand that security and the ‘soft’ element of awareness raising is crucial for business, and to open the corporate coffers for investments? The ENISA paper points out obstacles and challenges to obtain support and funding from senior management and provides practical advice on how to overcome these issues during the planning and implementation phases of an information security programme.
Five areas are identified as being crucial to obtain corporate security investments, in brief:
1. Define the investment rationale and the right stakeholders.
2. Build a persuasive business case to make senior management better understand the value of the investment to obtain funding and commitment.
3. Estimation of programme costs: allows organisations to identify the most common expenses which may incur and make rough estimates.
4. Linking business benefits to an information security initiative, define and calculate performance metrics.
5. Detail a typical path to face a corporate executive in a senior management briefing.

Effective communication is critical: the right information should be delivered at the right time, in the right manner, preferably 6-12 months ahead the project.

According to the Executive Director of ENISA, Mr. Andrea Pirotti:
"Making CEO’s understand that security is crucial for business and a corporate matter, not merely an ICT issue, is key, but not a trivial exercise. This is a guide for European business how to anchor the Return Of Investments in security and make it to a business case."

For further details: http://www.enisa.europa.eu/

Thursday 25 September 2008

Article 29 Data Protection Working Party reacts to Google's reply to the Opinion on data protection issues related to search engines

In reaction to the opinion of the Article 29 Working Party on search engines, Google reaffirmed its wish to collaborate with European data protectionauthorities and announced that it will reduce its retention period to 9 months. But in substance, Google refuses for the moment to submit to the Europeandata protection law.
__________________

On April 4, 2008, the Article 29 Working Party published an opinion on search engines,reaffirming the applicability of the European data protection law, recommending a maximumretention period of 6 months and indicating that web users must be able to provide consent to the exploitation of their data in particular for profiling purposes.Google answered to this opinion on September 8, 2008, by reaffirming its interest for a better consideration of data protection. Two significant modifications were announced on thisoccasion:
1. From now on, IP addresses associated with the requests carried out on the searchengine will be anonymized after 9 months (instead of 18 as it is now the case) ;
2. A link to Google’s privacy policy appears on its homepage.

Alex TÜRK, Chairman of the Article 29 Working Party and the French Data Protection Authority (CNIL), takes note of this improvement with satisfaction. M. TÜRK also notes thecommitment of Google to collaborate with data protection authorities and its efforts to inform its users about data protection issues using clear and innovative tools.

However, he considers that strong disagreements remain. In particular, Google:
- considers that the European law on data protection is not applicable to itself, even though Google has servers and establishments in Europe;
- wishes to retain personal data of users beyond the 6 months period requested by the Article 29 Working Party, without any justification;
- does not make any improvement to its anonymization mechanisms, which are still insufficient;
- considers that IP addresses are confidential data but not personal data, which prevents granting certain rights to its users,
- does not express the willingness to improve and clarify the methods that are used to gather the consent of its users.

In conclusion, despite some progress, significant work must still be carried out to guarantee the rights of internet users and to ensure the respect of their privacy. In this perspective, theArticle 29 Working Party will lead hearings with Google to discuss the points of dissension.

For the press release, go to: http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_16_09_08_en.pdf
For more on EU data protection, go to: http://ec.europa.eu/justice_home/fsj/privacy/news/index_en.htm

Wednesday 24 September 2008

ARMA International presents Records and Information Management: You, Your Organisation, and the Profession

The next organised opportunity for European members to meet will be on 6 November 2008 in Brussels when ARMA International presents Records and Information Management: You, Your Organisation, and the Profession

The agenda will include topics such as:

  • Future trends in RIM
  • The link between RIM and enterprise risk management
  • The importance of collaboration between RIM, IT, Security and Legal
  • Advancing your RIM career, including the role of competencies and professional certification

Registration

Members: EUR 90 (+VAT)*
Non Members EUR 130 (+VAT)*

*Includes evening dinner and refreshments


The fee for non members includes a EUR 50 credit toward other participation in other ARMA International events in Europe. Click here to join ARMA and get a discount on every ARMA event and enjoy the benefits of being a member of the largest global professional society for records and information managers.

Registration information will be made available soon. To pre-register and reserve a place, please send an email to Europe@arma.org

Join the LinkedIn Group for ARMA International members in Europe

Join the LinkedIn Group for ARMA International members in Europe. This group will allow you to strengthen your professional network, interact with your professional peers and exchange ideas, information and best practices.

To join, please click here: http://www.linkedin.com/e/gis/893797

ARMA International Board Approves Formation of European Group

Over the past couple of years ARMA International has increased its efforts to promote the records and information management profession and principles in Europe. As a result, we have seen increased interest at the policy-making level as well as the individual professional level. The association has been approached about forming an official entity in Europe that would allow individuals to affiliate more closely with ARMA International as members.

The Board of Directors approved the formation of a group in Europe at its May meeting. This group is being formed as a catalyst for current and future members in Europe to network, convene local education programs, and provide broader dissemination of regulatory and policy information provided through ARMA International’s EU Policy Brief, for example.

It also opens the possibility for the creation of local Chapters where this is desired. For more information on how to create a chapter in your area, please contact Tom Killam, Director of Members Services at ARMA HQ at tkillam@arma.org.