The regulators effectiveness is currently equivalent to trying to put a sticking plaster over the walls of a collapsed Hoover Dam. They are completely ineffective and unfit for purpose. The sheer volume of these attacks is simply overwhelming, and the sheer variety is startling. From Crypto scammers infiltrating Twitter to Facebooks stunning $5billion fine for the Cambridge Analytica personal data debacle. There are thousands more. It appears to me that the regulators have not only lost their teeth but their marbles as well.
The British Airways Fine which originally was going to be £183.4 million has been subsequently reduced to £ 20 million.
Similarly, with Marriot Hotels the ICO climbed down from a £99.2 million fine to £18.4 million. On a news release dated 30th October 2020 the ICO states “Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.
The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.” See https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-fines-marriott-international-inc-184million-for-failing-to-keep-customers-personal-data-secure/ for more information.
According to Simmonds & Simmonds “A material reduction in the BA data breach fine poses challenges for the market perception of the ICO and GDPR enforcement generally.”
I am certain that there are many who are currently thoroughly bewildered and frustrated at the vast amount of money that has been spent to date, in setting up the ICO in salaries, marketing and overheads, only to have them let companies like BA, Marriott, Facebook and others slide off the hook with a blatant disregard of the personal information that they flagrantly market and a total lack of regard as to how PII information is kept private. At the very point when the ICO could have some major wins, they are rolling over and demonstrating themselves to be a spineless supine organisation with no teeth and even less common sense.
An alternative outcome might be, to let the fines be settled over a 10-year period at 10% per year and withdraw all Directors bonuses for a period of 5 years. After all, why reward boards for acts of supreme negligence and utter mismanagement?
That said it appears that the regulators rather read the riot act to SME’s which is particularly galling when the likes of BA & Marriott Hotels get away with the equivalent of a slap on the wrist!
The question I have is how do you put the checks and balances in place in order to do the best that you possibly can to ensure that hackers are precluded from getting through corporate data privacy and cyber security defences? At very least, when such breaches occur, how can they be accurately and rapidly reported on within the mandated window. It is vital to have robust, auditable, operational policies in place and have these constantly policed.
Many of these breaches can be attributed to poor data privacy, cyber security, and data hygiene. Whilst organisations have pen testing, peripheral defences such as antivirus and out of hours logs in place. Very little is done to monitor these components as an integrated whole, 24 hours a day 365 days a year for irregular activity. At very least, both Data Privacy and Cyber Security need to be integrated and work in concert with one another in order to provide end to end security and a holistic solution to what is a vast and highly complex business issue.
I labour the point that this is a BUSINESS ISSUE it is not a technology one. If you look at the history to date of organisations abrogating responsibility of Data Privacy and Cyber Security to I.T. you are confronted with a litany of abject failure and a golden opportunity for Hackers and Cyber Criminals.
Many data breaches are down to basic data security not being in place. For example, the spectacular Experian data leak in September 2017 when the personal records of 147 million people were exposed, has been attributed to data not being encrypted at rest! This is basic entry level stuff. The level of incompetence shown here is mind-blowing!
Why so?
To date, Data Privacy and Cyber Security inhabit separate silos. If these were seamlessly integrated one would significantly reduce the instances of Data Breaches and Cyber Attacks. I am not suggesting for one moment that this is a trivial exercise but, the prize for getting this right would more than pay for the effort and cost.
I recall meeting the management team of a large corporation and the arrogance and downright stupidity shown, defied belief. It appeared that no one was charged with the responsibility to manage Data Privacy and Cyber Security from a board mandated business perspective. Aside from a company’s physical assets and reputation, the third part of the triumvirate is its data. How data is safeguarded, mapped. secured and accounted for should be a significant part of any companies DNA.
Suffice to say, that this company has had a large fine awarded by the regulators.
Data Leaks and the loss of an individual’s personal identifiable information is a fundamental contravention of human rights. Every organisation ought to have robust and highly auditable processes in place. I do not think that the regulators have gone far enough. I think that it would make sense that a Data Leak formed part of an organisations SMCR (Senior Managers Certification Regime) or equivalent, in order that board members ran the risk of having to serve significant prison sentences if they were to expose Personal Identifiable Information.
Additionally, organisations ought to have the ability to undertake predictive analysis of the whole of their data estate with particular scrutiny paid to PII.
The purpose of all data privacy frameworks is to secure all the PII that an organisation holds and to ensure as far as one is able, that an organisation knows all about the flow of such information. How PII is secured, who has access to it, where the data emanates from, where it’s going to, whether it traverses other privacy shields what third parties the data is shared with, does the processor subcontract any other third parties? There is no doubt that if any privacy programme is successful, one has to provide a detailed audit trail of this information to the regulators at the drop of a hat.
We run the risk of embracing the Chinese curse of Living in Thoroughly Interesting Times!
Data Ethics:
The Alan Turing Institute defines Data Ethics as” the founding ambition of landscaping data ethics as a new branch of ethics that studies and evaluates moral problems related to data (including generation, recording, curation, processing, dissemination, sharing and use.) Algorithms, (including artificial intelligence, artificial agents, machine learning and robots) and corresponding practices (including responsible innovation, programming, hacking and professional codes.) In order to formulate and support morally good solutions (e.g. right conducts or right values). Data Ethics builds on the foundation provided by computer and information ethics but, at the same time, it refines the approach endorsed so far, in this research field, by shifting the level of abstraction of ethical enquiries, from being information-centric to being data-centric.”
A robust Data Privacy Platform ought to act as a major conduit to a Data Ethics programme. After all if all an organisations data is mapped and attested, one is able to account for all its moving parts. Bearing in mind the supreme importance of an organisations data assets and data estate, then surely this must be a crucial part of a company’s moral behaviour? Why management teams have overlooked this is beyond me. I have no doubt that it is good business and good moral behaviour to have a member of a group board of directors tasked with the responsibility of managing Data Privacy Cyber Security and Data Ethics from an Operational and Business perspective and being totally accountable for this line of business. This to my mind, is sound common sense.
On a more positive note. Very little attention is given to the upside of having robust cyber security and data privacy tools and processes. By having your clients permissioning an organisation to use their data and opting in, they would have immediately identified themselves as wanting to receive your messages and information on your services and products, surely a salesman and a marketeer’s dream?
Market Size:
According to Verified Market Research, the Global Data Protection Market was valued at USD 62.82 Billion in 2018 and is projected to reach USD 198.59 Billion by 2026, growing at a CAGR of 15.55 % from 2019 to 2026.
That said if the regulators backpedal on the fines that they award heaven knows what damage it will do to this vital, emergent and much needed market.
Some observations of Data Privacy Vendors
The Data Privacy vendor community is growing exponentially it is probably one of the most active markets. It can be split into Data Governance, Risk & Compliance and Process Mapping Tools. There has even been a Flighty Unicorn that has had the misfortune to have had its wings clipped and its horn broken plus a bunch of rather disgruntled former employees.
With Covid 19 nothing is certain, least of all what the future holds.
That said one of the most exciting smaller vendors is the award winning Proteus Cyber who recently won The Info Tech Research Gold Medal. Proteus with their NextGen Data Privacy Platform bridges the gap between Data Privacy and Threat Intelligence. They have recently added new standout features to their current range of offerings. The Threat Intelligence feature tracks & links directly to Common Vulnerabilities & Exposures (CVEs) discovered daily and can be integrated within the IT asset register of current Proteus Cyber NextGen Data Privacy Users .
This useful new feature bridges the gap between privacy processes and supporting controls and the potential cybersecurity threats that pose a significant barrier to ensuring data is adequately protected. The feature is available for free as a part of the vendor’s public website. The true benefit of the feature is the ability that current Proteus-Cyber users will have to directly identify which incumbent threats may leave them vulnerable based on their systems and current patching cadence. Users can sort through CVEs based on type, company, and application, and much like the vendor’s Privacy News Tracking feature, new updates and relevant threats are constantly added.
The complex world of data privacy is heavily linked to the cybersecurity realm, although discord often exists between the two owning parties. While privacy management is process oriented, an effective data privacy program necessitates robust supporting technical security controls. After all, a data privacy program intends to safeguard an organization’s sensitive personal data, a feat that involves protection from external as well as internal breaches.
The platform is inherently scalable and excels in highly complex multi - jurisdictional data environments. For further information see the following links below.
https://proteuscyber.com/threat-intelligence
https://proteuscyber.com/privacy-database/news
Published 13 July 2021
Last Modified 13 July 2021