LITIGATION SUPPORT TIP OF THE NIGHT

Tomorrow is the big day! The General Data Protection Regulation becomes effective Friday. Earlier this week, the deputy general counsel of Microsoft made an important announcement: "we will extend the rights that are at the heart of GDPR to all of our consumer customers worldwide." If you have data stored by Microsoft you'll have the same rights as a EU citizen to request that they disclose, correct, or delete it - no matter where you're from. Microsoft has set up an online site where you can initiate the process.

The 'privacy dashboard' allows you to view and clear different types of data;

1. Browsing history

2. Search history

3. Location data

4. Product performance data

5. Health data

You can also manage your privacy settings on this site, and download an archive of your personal data.

I have to say that despite the fact that I've been using Windows and other Microsoft products for years now, none of my data is actually available through the dashboard at this point.

I guess it remains to be seen how useful Microsoft's new services are in practice.

Microsoft has an online GDPR self-assesement that you can take here. In consists of three stages addressing:

1. The protection of personal data.

2. Compliance risk

3. Streamling compliance processes

The points that Microsoft emphasizes for the protection of personal data include:

a. Built-in protection for data collection and processing

b. Encryption of personal data.

c. Automation of the classification of end user sensitive data

d. Controls over personal data such as multi-factor authentication and contextual access management (granting access based on a user's location, device, the type of data requested, the time of the request, and the position of the user).

e. Types of data to which control policies can be applied

f. Whether or not data subjects would be notified in the event of a breach and if the authorities would be informed in 72 hours.

g. How much data is stored in the cloud

The points that Microsoft emphasizes for compliance risk include:

a. Whether or not consent is obtained before personal data is used.

b. Notification of third party sharing details; the data retention period; and the purpose and legal basis of processing.

c. Response time for requests to stop using personal data.

d. Response time for requests to correct personal data.

e. Ability to conduct a Data Protection Impact Assessment

f. Tracking of data in and out of the European Union

g. Tracking of data to third party service providers

h. Ability to respond to a GDPR audit request

Factors for streamlining compliance processes include:

a. Testing security measures

b. Documenting, communicating and keeping track of the violation of data governance policies.

c. Automation of obtaining consent for the use of personal data.

d. Automation of corrections to personal data.

e. Development of processes to respond to GDPR audits and Data Protection Impact Assessments.

Here's a follow-up to the Tip of the Night for April 28, 2018 which discussed a Microsoft webcast on how Office 365 can help secure personal data for the purposes of compiling with the EU's General Data Protection Regulation, effective May 25, 2018. Tonight's tip concerns how Office 365 can be used to protect against data breaches and provide an adequate level of cyber security to meet the requirements of the GDPR. See, 'Cyber threat protection for GDPR' available here.

Threat Protection Services help protect against data breaches and also help detect when data breaches have occurred. Threat actors are using machine learning and AI on a much larger attack surface that has been increased by factors like the Internet of Things.

The GDPR requires organizations to report data breaches that put the rights of individuals at risk to supervisory authorities without undue delay and where feasible - no later than 72 hours after they are first discovered, and also notify the individuals whose personal data was compromised.

Windows Security Analytics shows which security controls a user has enabled.

Windows Defender ATP (Advanced Threat Protection) is a unified platform for security. EDR is Endpoint Detection and Response. PUA stands for Potential Unwanted Application.

An overall score is given in the upper left, and in the lower right a panel indicates which security features are not enabled for one or more devices.

The security operations dashboard shows alerts in the upper right which indicate which machines pose security risks.

Windows Defender ATP stores endpoint data for 6 months, to help track activities that may have contributed to a breach. Incident graphs can illustrate where breaches began and how they spread. Notice how this graph shows that the breach involved the use of Powershell.

Office 365 Threat Explorer can be used to track the recipients of an email infected with a virus, and who has blocked it.

An admin can isolate specific machine using ATP.