The recent cyber-attack on London–based telecom provider TalkTalk made front page news in the UK and abroad. It reminded us just how vulnerable our precious data is without the right safeguards in place.
The attack, which put around 21,000 bank account numbers and sort codes, in addition to 1.2 million customer email addresses, names and phone numbers at risk, is sadly not a one-off – in fact, it is just the latest in a long line of purposeful hacking or security breaches. Equally, in 2014, the office supply retailer Staples said hackers had broken into the company’s network and compromised the information of around 1.16 million credit cards, while earlier that year, JPMorgan Chase suffered attacks endangering the account information of 83 million households and small businesses.
These high-profile attacks gain blanket media coverage and bring the issue of data protection to the forefront, yet there are many more breaches incurred by less malicious motives, such as unauthorized use, disruption and even human error. On the other hand, we now produce more data than ever before; the connected world means that our personal data is listed and stored in hundreds, if not thousands, of places. The ability to pay on our phones, even our watches, on the go in any country in the world means that data has never been so critical and yet so at risk. In an increasingly advanced and tech-savvy world, how can we ensure data is adequately protected?
Personal Data Protection in Limbo
Data is protected by a number of regulations across the globe – generally these are sector-specific, risk-specific or country-specific. Things get more complex when it comes to European citizens’ personal data, i.e. any information relating to an identified or identifiable person – customers, employees, suppliers – since privacy is guarded as a fundamental right and protected with common policies across the EU region.
In 2000, the Safe Harbor agreement was put in place to allow US companies to self-certify their level of data protection to allow transfer of personal data outside of the EU. Following Edward Snowden’s revelations on the NSA PRISM program in 2013, as well as Max Schrems’ complaints on Facebook’s data policies, the European Court of Justice decided to invalidate the Safe Harbor agreement in October this year, leaving more than 4,700 companies on both sides of the Atlantic in a regulatory limbo.
This recent invalidation of the EU-US data transfer pact severely impacts how personal data can be used and transferred outside of Europe and although talks are in place to try and come to a mutual agreement on the terms of Safe Harbor 2, it is likely that this will be a long and drawn out process.
While these discussions take place, several companies are looking into other options such as model clauses, BCRs (Binding Corporate Rules) and explicit consent. However, these may not be effective long term either as they may incur a logistical complexity or could be overturned based on US intelligence purposes.
How to Stay Ahead
In order to properly protect data, it is paramount businesses understand exactly what data is being used, for what scope, and where. As recent examples have shown us, leaving data exposed to harmful breaches or unauthorized use is damaging both financially and to the reputation of the business, while also putting individuals at risk and violating their right to privacy.
What is more, EU authorities are also working on the new GDPR (General Data Protection Regulation) framework, which would drastically increase compliance costs as well as fines and penalties in case of violations of up to 5% of global turnover.
Companies who want to stay ahead should seek support of their legal consultants and start addressing a series of five key areas:
What kind of personal data is being collected and what is the purpose?
Where is data stored and/or transferred?
Which legal entities are involved, i.e. colocation companies, cloud providers, others?
Is there an updated data protection and security policy in place?
Are employees and IT managers trained and updated on data protection policies? Is there an appointed officer?
The amount of data we create and use is only going to continue to grow in the years ahead and with this comes increased risk of leakage. Coupled with this, hackers targeting this data for their own gain are also on the rise. Therefore we must do everything in our power to protect it today and in the future, with businesses taking greater responsibility for safeguarding the sensitive information they manage day by day.
What other best practices do you use to ensure data is effectively protected? Leave a comment to share your perspective on the matter.