Patching the patchwork: appraising the EU regulatory framework on cyber security breaches

Breaches of security, a.k.a. security and data breaches, are on the rise, one of the reasons being the well-known lack of incentives to secure services and their underlying technologies, such as cloud computing. In this article, I question whether the patchwork of six EU instruments addressing breaches is helping to prevent or mitigate breaches as intended. At a lower level of abstraction, the question concerns appraising the success of each instrument separately. At a higher level of abstraction, since all laws converge on the objective of network and information security – one of the three pillars of the EU cyber security policy – the question is whether the legal ‘patchwork’ is helping to ‘patch’ the underlying insecurity of network and information systems thus contributing to cyber security. To answer the research question, I look at the regulatory framework as a whole, from the perspective of network and information security and consequently I use the expression cyber security breaches. I appraise the regulatory patchwork by using the three goals of notification identified by the European Commission as a benchmark, enriched by policy documents, legal analysis, and academic literature on breaches legislation, and I elaborate my analysis by reasoning on the case of cloud computing. The analysis, which is frustrated by the lack of adequate data, shows that the regulatory framework on cyber security breaches may be failing to provide the necessary level of mutual learning on the functioning of security measures, awareness of both regulatory authorities and the public on how entities fare in protecting data (and the related network and information systems), and enforcing self-improvement of entities dealing with information and services. I conclude with some recommendations addressing the causes, rather than the symptoms, of network and information systems insecurity.     

Data breaches. Final rule

This document adopts, without change, the interim final rule that was published in the Federal Register on June 22, 2007, addressing data breaches of sensitive personal information that is processed or maintained by the Department of Veterans Affairs (VA). This final rule implements certain provisions of the Veterans Benefits, Health Care, and Information Technology Act of 2006. The regulations prescribe the mechanisms for taking action in response to a data breach of sensitive personal information.     

Data breaches. Interim final rule

This document establishes regulations to address data breaches regarding sensitive personal information that is processed or maintained by the Department of Veterans Affairs (VA). The regulations implement certain provisions of Title IX of the Veterans Benefits, Health Care, and Information Technology Act of 2006, which require promulgation of these regulations as an interim final rule.     

Medical data breaches: Notification delayed is notification denied

The EU and the United States have implemented data breach notification rules that cover the health sectors. Nevertheless, data breach incidents involving medical data continue to rise, especially in the US and the UK. The HITECH Act, Pub. L. 111-5 Title XIII is the first federal health breach notification law in the US to be characterized by less government intrusions, while the revised EU Privacy Directive, 2009/136/EC calls for tougher privacy protection for data held by electronic communication providers. While the EU law sets a global de facto standard, the law remains toothless without strong enforcement mechanisms.     

THE liability for cybersecurity breaches of connected and autonomous vehicles

Connected and autonomous vehicle (CAV) use, having been tested in various cities around the world and adopted in many areas through public transport, is being prepared for private sector use. The connected dimension of CAV provides for the vehicle to communicate with other vehicles and local infrastructure to operate in a safe manner. Yet, it is this communication of data and operation through software which causes potential problems in the event of the software suffering from unlawful modification (hacking). The consequences of a CAV being hacked could result in its features being compromised resulting in accidents, damage, financial loss, deaths and personal injury. It is also likely that hacking will affect fleets of vehicles operating on the same software version rather than individual vehicles. In this paper we argue there is a need for a strategy to determine how responsibility for the damage and loss caused following the mass hacking of CAVs is to be apportioned. This discussion is presently missing in the evolving literature on CAV maturity and we conclude that a national compensatory body offering a guarantee fund from which victims may seek redress would provide the most appropriate solution for all stakeholders.     

The mandatory notification of data breaches: Issues arising for Australian and EU legal developments

Public and private sector organisations are now able to capture and utilise data on a vast scale, thus heightening the importance of adequate measures for protecting unauthorised disclosure of personal information. In this respect, data breach notification has emerged as an issue of increasing importance throughout the world. It has been the subject of law reform in the United States and in other jurisdictions. This article reviews US, Australian and EU legal developments regarding the mandatory notification of data breaches. The authors highlight areas of concern based on the extant US experience that require further consideration in Australia and in the EU.     

综合安全理念与社会公共安全

一．安全防范——以人为本的综合安全理念 1．安全的两种理解     

从张炎北游论其遗民心态

张炎北游是应召书写金字藏经的,按照规定写经结束可以注授一定的官职.这次北游为张炎提供了北上寻妻的机会,而"轰荐福之雷"的结局又恰好排除其出仕新朝的尴尬.虽然北游带有一定的强迫性质,但张炎对它并无反感."题诗未果"之后,张炎匆匆南下,并改变了以往与世隔绝的生活方式,自觉地皈依了江湖.尽管张炎性格中有不少软弱随俗的成分,但他的遗民心态还是不容置疑的.     

Disclosing health information breaches of confidence,privacy and the notion of the "treating team"

The authors utilise cases collected during a randomised population survey to illustrate some of the legal and policy issues concerning routine transfers of information between treating practitioners. Their analysis suggests that implied consent for many routine uses of health information should not be assumed. An important part of consent to health information disclosure is the patients' ability to tailor its scope and content. This requires that they should be provided with additional information. Introducing the measures advised into the clinical setting would bring health information-gathering practices closer to compliance with the collection principles contained in Australian information privacy legislation.     

论侦查权的合理配置

合理配置侦查权是打击犯罪和保障人权的双重需要。我国侦查权配置采用了多重标准,各侦查系统自成体系,互相平等又同时兼具侦查之外的其他职责,这种模式总体上是合理的,但也存在一些弊端。合理配置侦查权需要考虑各种因素,最重要的是侦查效率和侦查公正两大标准,既要符合专业化的发展趋势,又要有利于权力的监督和制约。以这些标准检视我国侦查权的配置,可以对侦查权进行适度调整,例如可以考虑将涉税案件侦查权自公安机关移转至税务机关,以提高侦查效率、减轻公安机关压力并加强对税务机关的检察监督。     

绑架案件侦查中的制信息权

将精确打击中的制信息权用于绑架勒索案件的侦查,是保障人质安全,及时抓捕绑匪的有效手段。探索夺取绑架案件侦查中的制信息权,以情报信息引导精确锁定犯罪嫌疑人,安全解救人质的战术战法对于绑架案件的及时侦破具有重要的现实意义。     

Investigating demodex in forensic autopsy cases

Demodex is an ectoparasite living in the skin as a nonpathogen or a pathogen. It is also known that demodex acts as a vector of pathogenic microorganisms. In this study, we have investigated the rate of occurrence and vitality of demodex in forensic autopsies that have a high risk of contamination by infected organisms. The study, which was cross-sectional, conducted on 100 autopsy cases: 77 of the bodies were male and 23 female. The average age was 41. The samples were taken from the forehead, nose, cheeks, eyelashes and the temporal areas using the standardized skin surface biopsy and hair epilation techniques that were modified for this study. The data obtained were assessed statistically. Demodex was determined in 10% of all the cases. The cases revealed that demodex increased in old age and was more frequently seen in people with fair complexion. It was most frequently found in the forehead and the cheek. The longest postmortem interval in the positive cases was 55 h. The relationship between the postmortem interval and the presence of demodex was not statistically significant. Considering the fact that demodex, which is transmitted from human to human through skin contact, acts as a vector of pathogenic organisms and can stay alive in dead bodies for a long time, we think that the personnel performing autopsies without taking the necessary precautions are under risk.