Mitol PerfectBackup | Fawcett House | Shirbutt Lane | Hessay | York | YO26 8JT | TEL: 01904 737528 | Providers of Online Backup - Hosted Exchange - Cloud Computing Solutions
Online Cloud Backup | Local and Offsite Data Protection | Cloud Computing Services | Hosted Exchange


Ransomware Continues to Grip Europe

As ramsomware encryption continues to strangle businesses in Europe it has become apparent a point in time backup with a long retention / role back period is now more important than ever.

It is well documented hospitals, homes, small businesses are being caught out and the list continues to grow daily.  One thing is now obvious, due to ever more sophisticated delivery methods, we can’t stop it.  It is more a question of when your data will be encrypted.

So do we just keep paying? The official stance is do not pay the ransom and report the situation to your local authorities, but that doesn’t help you get your data un-encrypted and your business back up and running.  If you haven’t got your data protected, you only have one choice.  Pay up and hope it doesn’t happen again.

Backup is vital, I repeat, backup is vital.  It does not matter to an extent how or where you protect your data, as long as you do it often as possible, securely and with a long enough retention policy which enables you to restore to a date prior to disaster.

The Mitol PerfectBackup solution enables you to automatically backup every hour to a local usb or NAS drive every hour, whilst backing up offsite every night/out of hours.  This process is automatic, allowing you to continue with your desired business duties but enables you to restore data back to 1 hour prior to disaster.

Please contact us for further information or to arrange a free trial.

Where is your Cloud Data Stored?

BBC has reported

The US Supreme Court has approved a rule change that could allow law enforcement to remotely search computers around the world.

Previously, magistrate judges could order searches only within the jurisdiction of their court, often limited to a few counties.

The US Department of Justice (DoJ) said the change was necessary to modernise the law for the digital age.

But digital rights groups say the move expands the FBI’s hacking authority.

The DoJ wants judges to be able to issue remote search warrants for computers located anywhere that the United States claims jurisdiction, which could include other countries.

A remote search typically involves trying to access a suspect’s computer over the internet to explore the data contained on it.

It has pushed for a change in the rules since 2013, arguing that criminals can mask their location and identity online making it difficult to determine which jurisdiction a computer is located in.

‘Only mechanism available’

“Criminals now have ready access to sophisticated anonymising technologies to conceal their identity while they engage in crime over the internet,” said DoJ spokesman Peter Carr.

“The use of remote searches is often the only mechanism available to law enforcement to identify and apprehend them.

“The amendment makes explicit that it does not change the traditional rules governing probable cause and notice.”

It said the change would not give law enforcement any new authority not already permitted by law.

However, groups such as the American Civil Liberties Union (ACLU) have warned that the change could expand the FBI’s ability to conduct mass hacks on computer networks.

‘Thousands of millions of computers’

“Such a monumental change in the law should not be snuck by Congress under the guise of a procedural rule,” said Neema Singh Guliani of the ACLU.

In 2015, search giant Google also opposed the change, which, it said, “threatens to undermine the privacy rights and computer security of internet users”.

Oregon Senator Ron Wyden said the change had “significant consequences for Americans’ privacy”, and said he would seek to reverse the decision.

“Under the proposed rules, the government would now be able to obtain a single warrant to access and search thousands or millions of computers at once; and the vast majority of the affected computers would belong to the victims, not the perpetrators, of a cybercrime,” he said in a statement.

Congress can still opt to reject or modify the changes to the federal rules of criminal procedure – but if it does not act by 1 December the change will take effect

Make sure your data is only stored within the United Kingdom borders!

It Won’t be Long Now!!!


Safe Harbour – Deadline issued for new agreement

A new data transfer agreement must be negotiated between the EU and the US by 31st January 2016, or action may be taken against businesses who continue to transfer their customer’s personal data through the US.

What does this mean for my business?

If your business stores personal data which falls under the Data Protection Act, then you need to prepare to move away from services that are based or owned in the US. You must be able to implement this move before 31st January 2016, in case the US and EU do not negotiate a new data transfer agreement.

Why has this happened?

The ultimatum comes after the EU’s ruling last week that the data transfer agreement titled ‘Safe Harbour’ which protected personal data sent through the US, was invalid. This was due to Edward Snowden’s disclosures in 2013 which revealed US global surveillance programs.

The statement was released last Friday by the Article 29 Working Party (the EU’s data protection advisory body). It stated that, ‘If by the end of January 2016, no appropriate solution is found with the US authorities…EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.’

Regarding businesses within the EU, the party noted that they ‘…should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection…’

Can I just move the services based in the US to the EU?

Currently, there is very little that businesses can do to ‘mitigate the risks’ of transferring data; the US government has jurisdiction over all US companies and their subsidiaries, regardless of their location in the world. Regrettably, this means that moving data to EU based subsidiaries will be fairly ineffective.

What if I’m asked to sign a Model Clause?

Some corporations are now depending on the EU Model Clauses; standardised clauses that allow for legitimate cross border data transfers. Although the Article 29 Working Party have said that these can still be used, there is a debate as to whether these will be the next to go.

Safe Harbour – Should I be Using Overseas Cloud Solutions?

Have your data protection responsibilities just changed?
The agreement that allowed businesses to send personal data between countries in the EU and the US has been declared void by the European Court of Justice, on the grounds that it does not protect against US surveillance.

Yesterday’s abandonment of the Safe Harbour agreement (spelled Harbor in the official pact) will directly impact the way your business is allowed to handle personal information on your clients and your colleagues.

What does this mean for your business?
If you use Cloud based services or US-Owned infrastructures like Office365 and Google Docs, any personal data from your customers or employees will have to pass through a US server. As a result, the US will have a record of this information and has the ability to access it without your knowledge or consent.

Even if the programs and services your business uses are based within the EU, the data may be backed up on a US Cloud. This means that software based in an EU area won’t necessarily coincide with data protection laws.

Safe Harbor Press Release

What was the Safe Harbour agreement?
Safe Harbour was an agreement which protected any personal data of EU citizens that passed through the US. As a result of Edward Snowden’s actions, the European Court of Justice has ruled that Safe Harbour cannot be upheld in a court of law as it cannot claim to keep data that enters the US private.

Personal data transfers between businesses within the EU and the US have not been suspended, but the EU now has the authority to investigate these transfers if it suspects that personal data is not adequately protected.

What happens next?
Some companies are amending their terms and conditions, but this does not negate the EU’s ruling. Currently businesses do not need to take any immediate action, but should wait for guidance from the EU, UK and suppliers.

All US based services are still running for EU businesses, as are those within the EU that directly or indirectly use US servers. Mitol Ltd will keep you updated on any further developments

Microsoft must surrender overseas data, US judge rules

In an extremely worrying step for anyone who already believes the US Government has too much power, it would now appear that even if your data resides in a Microsoft location outside the US they can still gain access. My personal view is that sovereignty of data is a key decision for anyone who is seeking to move to a cloud provider. If this is not over-turned it could have far reaching consequences.


£500,000 for Firms that Suffer Serious Data Loss

A recent article in CRN Magazine  and states the proposed introduction of fines of up to £500,000 for firms that suffer serious data loss
From next year, the privacy watchdog the Information Commissioner’s  Office (ICO)  will be able to fine companies that recklessly or maliciously breach the Data  Protection Act (DPA). The Ministry of Justice yesterday launched a  public  consultation on the maximum amount such fines can run to – a figure it  proposes  should be set at £500,000.In its consultation document the MoJ said it chose £500,000 because  it did  not want the penalty to be more than “10 per cent of the highest annual  turnover  of a small company”.As well as being imposed for malicious or reckless breaches of the  DPA, the  fine could also be used by the ICO against companies who have:

  • Stored or processed personal data in a country outside of Europe  that does   not have adequate data protection legislation
  • Kept data for longer than is necessary for the organisation
  • Obtained personal data unlawfully
  • Accidentally deleted data

Whilst PerfectBackup cannot help with points 1 to 3 we are able to  restore  your backed up data which may have been deleted many years ago.

Under the ICO’s current powers, the strongest sanction the watchdog  has  against organisations that lose data is to serve it with an enforcement  notice  requiring it to improve data security or face legal action.

Deputy information commissioner, David Smith, welcomed the ICO’s new  powers  and said they would help stop more breaches from occurring.

“We are keen to encourage organisations to achieve better data  protection  compliance and we expect that the prospect of a significant fine for  reckless or  deliberate data breaches will focus minds at board level,” he said in a  statement.

The announcement coincides with the latest ICO figures showing that  711  businesses, government bodies and charities have suffered data security  breaches  over the past two years.

Mitol PerfectBackup are committed to offering tailored online backup  solutions for  businesses worldwide, if you feel you are not complying with the above  then  please contact a member of our support team for guidance.

Can European Firms Legally Use U.S. Clouds To Store Data?

Recent Article copied from

A top concern of moving to the cloud, particularly in Europe, is the patchwork of laws that leave many unsure of how to proceed. In Europe, a very stringent legal framework is in place with criminal sanction for companies and individuals that break EU data protection laws. Access to and sharing of EU citizens’ personal data is tightly controlled, including requirements for notification of data releases. In the U.S., while data laws are significantly more flexible, frameworks do exist, meaning European companies operating there also need to comply with U.S. laws.

In particular, laws such as the U.S. Patriot Act have further complicated the situation. Both Amazon Web Services and Microsoft have recently acknowledged that they would comply with U.S. government requests to release data stored in their European clouds, even though those clouds are located outside of direct U.S. jurisdiction and would conflict with European laws. Does this mean, however, that European companies and individuals using U.S.-company-operated clouds are breaking EU law?

Key Factors: Location and Control

There are two important factors affecting the treatment of data. Firstly, knowing where it is physically located, as this determines the legal jurisdiction presiding over that data. For example, data stored in Germany is subject to German and EU law, whereas data stored in the U.S. is only subject to U.S. law. It’s also important to consider where customer records are kept, as sometimes they may be replicated beyond the raw data storage. For example, a company operating a public cloud may hold uploaded data in one place (the main published cloud location), but keep copies at its corporate HQ, which may be in another country.

Secondly, knowing who controls the data is key as some country laws place obligations on companies beyond that country’s borders. For example, since a U.S. company operating in Europe is still subject to the U.S. Patriot Act, the European customers using those services are exposing themselves to U.S. jurisdiction. It’s important to note that subsidiaries of U.S. companies are also subject to the same U.S. data access abroad.

Implications of the U.S. Patriot Act in Europe

European law strictly mandates the treatment of EU private citizens’ data with strong sanctions against breaches. Additionally, there are clear and specific notification requirements if data is shared with third parties. In contrast, the U.S. Patriot Act requires U.S. companies (and their foreign subsidiaries) to comply with U.S. government data requests regardless of location, provided that data is under the control of a U.S. company. Furthermore, by the same U.S. law, such data sharing is not allowed to be revealed to a third party, directly conflicting with European disclosure requirements.

ased on these facts, a U.S. company (or local subsidiary) controlling data in Europe must comply with EU data protection and notification laws, but is also subject to the onerous U.S. Patriot Act requirements, which are incompatible. In such a situation, it’s reasonable to assume that a company would comply with its ‘home’ jurisdiction, particularly if data disclosures are required to be private. U.S. companies controlling EU citizens’ data in Europe are therefore in an impossible situation if they have to release data under the U.S. Patriot Act. The Safe Harbor Framework, designed to avoid this, has proved ineffective, as recently admitted by major U.S. companies operating in Europe.

So, the question remains – for companies holding EU citizens’ data in Europe, does placing such data under the control of a U.S.-based entity expose them to legal consequences? The simple answer is yes. If a German company were to place their customers’ data under the control of a U.S. entity or subsidiary, they could be held liable for any subsequent data release.


article copied from