It has been reported that cyber criminals are creating as many as 57000 websites every week in a bid to obtain data from unsuspecting people. Many of these websites look and appear to be exactly like those websites you regularly use such as Visa, Amazon, Ebay, Paypal etc.

Phishing

The bogus websites are often made to look exactly like those of legitimate bank, auction, or shopping websites. The threat arises when users are unable to determine the authenticity of the websites when they click into them through search engines or email messages. While Search Engines and various security software companies do try to thwart the efforts of the hackers it can’t eliminate all the risks. This is why users need to be extremely vigilant when logging onto these websites.

According to Panda Labs 2/3 of these bogus websites related to banking websites.  ”Given the proliferation of this technique, we advise consumers to visit banking sites or online stores by typing in the address in the browser directly rather than using search engines or links in an email,” Corrons said.

While typing in the address of the website will mitigate some attacks it does not ensure complete safety said Alan O’Regan from Secured.IE. Some of these attacks hijack DNS requests so even though you have typed the correct website into the address bar you may still end up being diverted off to a bogus website.

Irish companies that loose the personal data of more than 100 people will be obligated by law to report the breach to the authorities according to the new rules proposed by the Data Commissioner.

The only instance where a company or organisation can avoid having to report the breach is ensuring that data is encrypted and protected by a strong password, or in the case of lost or stolen equipment that a remote memory-wipe feature on a device be activated immediately.

In 2008 the Irish Government ordered a review to determine whether or not reporting obligations protected individuals sufficiently. It recommended that some kind of official guidance was necessary in the event of a breach.

The Irish Data Protection Commissioner has now published a draft Code of Practice outlining exactly when reports to him must be made.

“I have sought to bring forward a draft Code as quickly as possible after the Review Group report to respond to public concern in relation to organisations losing personal data under their control while at the same time not imposing an undue burden on those organisations,” said Irish Data Protection Commissioner Billy Hawkes.

In the event of an organisation loosing data comprising of sensitive medical or financial data then this must still be reported even if fewer that 100 people are involved.

“Data controllers who are required to report to the Office of the Data Protection Commissioner in accordance with this Code must do so within two working days of becoming aware of the incident,” said the guidance.

“Such data controllers are required to provide a detailed report of the incident reflecting careful consideration of … the amount and nature of the personal data that has been compromised; what action is being taken to secure and / or recover the personal data that has been compromised; what actions are being taken to inform those affected by the incident or reasons for the decision not to do so; what actions (if any) are being taken to limit damage or distress to those affected by the incident; and a chronology of the events leading up to the disclosure,” it said.

“The Office of the Data Protection Commissioner will investigate the issues surrounding the data breach,” it said. “Investigations may include on-site examination of systems and procedures and could lead to the use of the Commissioner’s legal powers to compel certain actions. Such actions may include a recommendation or requirement to inform data subjects about a security breach incident where a data controller has not already done so.”

The draft code of practice can be found here.

In the U.K. in April 2010 The Information Commissioner for the first time gained the power to fine organizations for violating the Data Protection Act. Fines up to £500,000 can be levied. In the case of Banks and Insurances companies other agencies have the power to impose even greater fines.

The European Union approved a data breach notification law last year as part of telecoms law reforms however this law only applies to telecoms firms. The Commission and Council rejected EU Parliament proposals to have the law apply to businesses that operate online, such as shops and banks.