This week:
The Data Protection Commission (Ireland’s data protection regulator) published its annual report* on Thursday, so this is the source for this week’s Cyber 3-2-1:
3 – Why your Ring cameras could Bring you into GDPR.
2 – What you can learn from Maynooth University.
1 – Why the most common cause of a data breach may surprise you.
(You can access the DPC report and case studies at https://dataprotection.ie/annualreport2024/)
3 – Why your Ring cameras could Bring you into GDPR.
What’s the story?
In 2024, the DPC received 157 complaints about the use of CCTV cameras in a domestic setting.
So what?
Many people have video doorbells these days, and a significant number have other cameras in operation on the outside or even inside their homes.
There is an exemption in GDPR if your cameras are used solely for the management of your personal, family or household affairs or kept by you for recreational purposes.
But if the cameras capture areas outside the perimeter of your property (e.g. public areas or neighbouring properties), you may not be able to claim this exemption and you will need to comply with the legal obligations of a Data Controller*.
In other words, make sure your cameras aren’t capturing areas outside of your property!
(* The DPC has issued guidance on the use of Domestic CCTV here).
2 – What you can learn from Maynooth University.
What’s the story?
In 2018, attackers gained access to 6 of Maynooth University’s email accounts. The DPC investigated the incident and the security defences that the university had in place at the time of the attack.
6 years later, the university was fined €40,000 and told to do better.
So what?
If you aren’t sure about the strength of your organisation’s defences, take a look at the 6 recommendations on page 40 of the DPC report.
Unsurprisingly, the first recommendation is to enforce the use of Multi-Factor Authentication on all accounts to ensure the only thing protecting you from an attack isn’t just “LiverpoolFC&2025” (or some other ‘complex’ password).
1 – The most common cause of a data breach may surprise you.
What’s the story?
Of the 7,781 data breach notifications received by the DPC in 2024, 50% of the breaches were caused by someone sending data to the wrong person.
So what?
Yes, you should worry about the malicious acts of outsiders. But you should also worry about honest mistakes by your own people.
It’s a fact of life that we will all send a letter or an email to the wrong recipient at some point in our lives.
To reduce the impact of this error, we should not include lots of sensitive information (e.g. personal data) in the correspondence or email without putting some sort of protection on it.
For example, when it comes to email:
- Protect email attachments with a password that only the intended recipient would know.
- Alternatively, instead of using an attachment, share the information via a secure link through SharePoint / DropBox / Google Drive, so you can revoke the link if you realise you’ve sent the email to the wrong person.