Included in this issue of Data & Privacy News: Yahoo agrees to pay $50 million in damages for 2013 security breach; MEPs call for action to protect citizens' privacy from abuse following Facebook fine and more...
Yahoo agrees to pay $50 million in damages for 2013 security breach
Yahoo has agreed to pay $50 million in damages and provide two years of free credit-monitoring services to 200 million people whose personal data was stolen in a huge security breach in 2013.
It took Yahoo three years to disclose details of the data theft, which included names, email addresses, dates of birth and hashed passwords. The problem only came to light when Yahoo negotiated a $4.83 billion deal to sell its digital services to Verizon Communications. Yahoo had to reduce the price by $350 million to reflect its tarnished brand and for potential costs stemming from the breach.
The settlement reached in a San Francisco court, covers around a billion accounts held by an estimated 200 million people in the U.S. and Israel from 2012 to 2016.
Half of the settlement costs will be covered by Verizon, while Altaba, a firm set up to take on the parts of Yahoo not acquired by Verizon, have agreed to pay the rest.
MEPs call for action to protect citizens' privacy from abuse following Facebook fine
European members of parliament (MEPs) have called for action to protect citizens' privacy from abuses in the wake of the Facebook-Cambridge Analytica scandal.
The MEPs have demanded a full audit of Facebook by EU bodies following the Information Commissioner's Office announcement of a £500,000 fine.
In addition to the audit, MEPs have requested electoral laws be updated to reflect changing digital reality and EU member states probe suspected abuse of online political spaces by foreign powers.
National Cyber Security Centre issues new guidance after security vulnerabilities found in children's toys and baby monitors
The National Cyber Security Centre has issued guidance to manufacturers after security vulnerabilities were found in children's toys and baby monitors connected to the internet.
So far, hackers have managed to obtain audio from a baby monitor and override the position and temperature information of an infant on an activity tracker.
The Government's launch of a new voluntary code of practice urges manufacturers to boost the security of internet-connected devices such as smart watches, virtual assistants and toys. It stipulates that devices cannot have default passwords and companies must notify authorities of any security vulnerabilities.
Some companies have already signed up to the code and the government is now exploring more options for strengthening compliance to the guidelines.
Court of Appeal reverses High Court's decision on medical report data subject access request
The UK Court of Appeal, by majority, has reversed the decision of the High Court and allowed the General Medical Council, as data controller, to disclose to a patient an expert medical report following a data subject access request.
The medical report in question contained a mix of personal information of the patient and Dr.B, the treating doctor. The patient wished to use the report to support a claim of malpractice against Dr. B.
The Court of Appeal noted that the patient's requirement to obtain evidence for litigation was not a valid reason for declining such a request and suggested a potential safeguard be put in place to deter misuse by the requestor.
In the case, the Court applied the rules from the Data Protection Act 1998, but the same approach will apply to consideration of cases under the new Data Protection Act 2018.