Headline-hitting breaches of personal data are contributing to a groundswell of opinion that organizations must do far more to guarantee the privacy and security of the personal information entrusted to them. Many organizations, meanwhile, want to see a looser interpretation of data privacy that gives them the freedom to make more productive business use of the information they gather on individuals – for example, to better predict buying patterns, understand customers or otherwise boost competitiveness.
Caught in the middle are information security professionals charged with devising and implementing controls that can protect their businesses from regulatory, reputational, operational or financial problems without unduly hampering their ability to take advantage of new technology. They must ensure their businesses remain compliant with disparate (and changing) data protection regulations around the globe and sometimes struggle to get their functions seen by the business as anything more than a necessary but unwelcome expense.
As a result, business cases for investment in infosecurity have tended to focus on protecting critical systems and meeting compliance requirements with the minimum cost and fuss. Boards have often been reluctant to entertain requests for any investment in security above and beyond the minimum required to ensure a tick in the box for compliance or security certification, irrespective of whether their processes are truly robust.
As seasoned data security academic, advisor and Infosecurity blogger, professor John Walker of ISACA, points out: “There would seem to be a very big issue around the way organizations treat the data of which they are custodians – our data – and in my experience they do not always do the right thing.”
Indeed, Walker notes he was a victim of a privacy breach himself last year when some of his personal financial records were found discarded in a container outside the offices of a windscreen repair company he’d once dealt with (which had subsequently vacated its premises after going into administration). He reported the incident to the relevant authorities, as well as doing what every savvy social media user would – Walker exposed the cavalier practices on his blog and social networks.
Yet there are signs that mounting concerns over the privacy of personal data – whether it’s stored on paper, physical electronic media or in the cloud – could give infosec professionals their most persuasive business case yet for a fundamental overhaul of their approach to data privacy. In the process, security practitioners also have an opportunity to demonstrate that, far from being a drain on resources, implementing robust privacy controls can add real value to the business and improve its bottom line.
Compulsory Considerations
The emerging global legal and regulatory landscape is set to increase the risk that where companies do suffer a breach of personal data, the consequences will be far more damaging than they are today. Next year, the European Union plans to finalize a new General Regulation for Data Protection that, among other things, will make it mandatory for all organizations (both private and public) to report breaches of personal data, along with introducing a requirement to notify all affected parties individually and – in certain cases – compensate them. Many companies operating in the US already have to comply with such requirements under existing state-level and sector-specific regulations, as do public-sector organizations in Europe.
The new European legislation, however, will put many more businesses’ security failings into the spotlight. And the sums involved are likely to be substantial: a report from the Ponemon Institute and Symantec earlier this year put the average cost of a data breach for US firms at $194 for each record compromised.
Stuart Lynch, a consultant at Privacy Laws & Business, a leading consultancy and conference organizer that helps organizations understand and respond to global data protection issues and requirements, says: “While there’s a perception US legislators are less concerned with privacy than their European counterparts, particularly when it comes to homeland security, in many areas US privacy laws are already stronger than the rest of the world. Mandatory reporting of data breaches has developed over the last five or six years on a state-by-state basis, along with an obligation to get in touch with everybody who could possibly have been affected. For example, after the loss of a large file of employee information several years ago, Boeing had to contact all employees and ex-employees who could have been affected, at considerable cost.”
Lynch adds that companies in the more stringently regulated US financial sector face even greater risk, because they are additionally required to compensate those affected by data breaches. “For instance, one of the big banks in New York lost around 11 million records when a backup tape went missing. It took them over three years and cost them many millions of dollars to compensate for that”, he says.
Although there is still wrangling over the finer points of the new European regulation (such as the required timescale within which any breach must be reported), Lynch is fairly certain the mandatory requirement to report all personal data breaches will remain. Larger companies will also be mandated to employ a dedicated data protection officer to ensure the organization remains compliant. “Many large organizations already employ such a person, but in the future those that don’t will be in breach of the law”, he predicts.
Mandatory breach reporting for companies operating in the US or Europe – and the requirement to notify (and potentially compensate) those affected – greatly increases the financial risk to any organization that fails to implement adequate data privacy controls. But it also fuels another, potentially even more detrimental risk: that of reputational damage and the consequent loss of business that could ensue.
Beyond Simple Compliance
Both traditional and social media are increasingly highlighting stories of data breaches. Currently, the public generally only gets to hear about those where organizations have been required to report them or when the data in question has been discovered elsewhere (e.g., on an unencrypted laptop left on a train, or posted on the internet by hackers). But as more breaches become public knowledge in the wake of mandatory reporting, organizational security failings will be laid bare like never before.
Companies will increasingly be named and shamed in both mainstream and social media. Almost certainly, we will see a lot more big names appearing in unfavorable articles, social media posts and rankings of firms that can’t be relied upon to handle personal data appropriately – irrespective of whether they had introduced ‘proportionate’ controls in the eyes of the law and regulators. Verizon’s 2012 ‘Data Breach Investigations Report’ identified four times as many breaches in its data set over the previous year, and states that around 96% of attacks were ‘not highly difficult’, implying they could have been thwarted had fairly basic security controls been in place.
In such a landscape, it will be increasingly risky to follow the common route of only doing the minimum required by law and reactively responding to breaches as and when they’re discovered. Customers will increasingly seek out businesses that can demonstrate they are doing all they can to proactively protect the privacy of any personal data they hold before any breach occurs. Here, then, is an opportunity for infosec professionals to show boards how better processes and controls could boost their bottom line rather than simply helping them meet their compliance burdens.
Greg Jones, director of vendor-neutral risk and security consultancy Digital Assurance, agrees with this analysis and advocates, where possible, designing appropriate data privacy controls into systems at the outset, rather than considering them as an afterthought.
This idea, known as ‘privacy by design’ was pioneered in Canada back in the 1990s by Ann Cavoukian, Ontario’s long-standing Information and Privacy Commissioner, but it’s only in the last few years that it is beginning to take hold in earnest, championed by the likes of the US Federal Trade Commission and the UK Information Commissioner’s Office (ICO). The ICO also issued a comprehensive report in 2010, ‘The Privacy Dividend’, which usefully set out the compelling business case for investing in such an approach.
Jones says: “Designing privacy into the architecture is obviously far easier for a new operation. For a large organization with legacy systems, processes and suppliers, it can be a far more daunting and potentially costly exercise.”
If the risk of a privacy breach causing significant financial damage is high enough, though, organizations may judge it a worthwhile expense. Where they don’t, or simply can’t afford to invest in a major change program, Jones indicates there are ways to spread the pain and cost. “For example, devolve the responsibility for incorporating privacy controls to individuals and project teams across the business”, he says. “Introduce the approach gradually. Start by ensuring privacy assessment is part of all new projects. And accept that it might take several years to permeate across the business.”
But those who don’t want to be subsumed by nimbler, privacy-savvy competitors should certainly begin to make the changes now if they want to reduce the risk of becoming the next shame-faced subject of public opprobrium.