Cyber Security: Data Privacy

How Boards Can Safeguard Digital Assets Today For Success Tomorrow

Cyber continues to dominate headlines - and rightly so. Not only is the topic wide-ranging, but cyber attacks are mushrooming daily, unconstrained by geographic or sectoral borders. Like so many of today’s business issues, human decision-making and behavior lie at the heart of the problem. How can companies develop digital offerings without inviting the real threat of cyber risks? Beyond the numbers, how much insight do boards really have? Within board governance, what data governance structures are needed?

These are just some of the questions that inhabit the cyber security landscape. In this series, Amrop breaks the subject into bite-size portions, collaborating with some of the industry’s most innovative companies as they trailblaze through the digital landscape. This first insight piece is co-authored with Jason du Preez, CEO of Privitar, a leader in the development and adoption of privacy engineering technology.

This article dives into the fast-evolving world of privacy engineering: the tools, technologies and processes that can be used to enforce privacy policies to deliver the principles of privacy by design, considering privacy risk throughout the entire data life cycle.

Focussing on Financial Services (one of the top three sectors to suffer customer defections after a breach) we asked executive and non-executive board members to reflect on the issue. Their input confirms cyber security is top of the board agenda for data-centric businesses. 

Click here to read the full article.

Setting the Scene
Accumulating evidence suggests:
  1. The cost of data breaches is on the rise 
  2. The biggest loss to organizations remains the erosion of business 
  3. Boards and CEO’s are increasingly held responsible for data breaches – and penalized accordingly 
  4. Well-resourced governments are increasingly suspected of targeting companies or influencing the affairs of other states 
  5. Companies are switching on to cyber security, investing in speeding up detection of data breaches and their escalation to top management 
  6. There is a direct correlation between data governance and the cost of breaches
  7. The Internet of Things and machine learning offer exciting new ways to protect systems and detect attacks. However they may also make attacks more efficient – and allow new types of attack.

For companies looking to extract value from advanced analytics, machine learning and sharing with third parties, digital information has become a major strategic asset. Burgeoning volumes are now being amassed, much containing proprietary and highly sensitive data. Employee records, banking transactions and trade data are just some examples.

Every Asset Has its Price
Growing concern for customer privacy is restricting access to sensitive information and proving a barrier to innovation. Incoming GDPR regulation which calls for ‘privacy by design’ will put further compliance pressure on firms. The era of the Data Protection Officer (DPO) is upon us, and one of his or her key functions is to ensure customer privacy. 

The Ripple Effect of Data Breaches
The recent breach of social network site MySpace is a prime example of a case where harm could likely have been avoided by robust privacy engineering. It also demonstrates the role played by online market places in breached data. In May 2016, motherboard.vice.com cited an ‘oft-repeated adage in the world of cybersecurity. There are two types of companies, those that have been hacked, and those that don’t yet know they have been hacked.’ 
Beyond their toxic effect on customers (arguably a societal responsibility issue), the fallout of data breaches can inflict serious damage on the people at the helm of organizations, with repercussions far beyond the ICT function. In 2015, the UK telecommunications challenger TalkTalk suffered a cyber-attack that cost it £60 million, 101,000 customers, and a record £400,000 fine from the Information Commissioners’ Office (ICO). Information Commissioner Elizabeth Denham was unequivocal: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease. Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations.” 

An Insider’s Guide to Data Security
Breaches are most often caused by insider action – accidental or malicious. At the same time, a new market has emerged for personal and sensitive data, incentivising criminals to buy cyber-attacks against companies. In the Full Article we give strategists a technical apéritif to some of the key measures to counter the problem. 
Whilst cyber security measures protect data from unauthorized access, privacy engineering tools can protect sensitive data when it is accessed. Indeed, security and privacy engineering should be thought of as complementary fields which together deliver data protection. 
Privacy engineering incorporates a range of techniques which make sensitive data less vulnerable to exploitation. It allows data controllers to select an acceptable level of privacy risk, taking into account the trustworthiness of the stakeholders and environment involved. 
The tools can protect sensitive information at the point of access whilst preserving the valuable patterns and relationships in the data. This gives companies the best of both worlds - the ability to innovate and use data safely.

Breaking Links
One method is to apply a privacy policy to sensitive data and create an anonymized copy. Identifying fields are tokenized or encrypted. The rest of the data is then perturbed to prevent re-identification via linkage attacks - attempts to re-identify individuals in an anonymized dataset by combining that data with another dataset. The ‘linking’ uses indirect identifiers also known as quasi-identifiers. These are pieces of information that are not themselves unique identifiers, but can become identifying when combined with other quasi-identifiers. For instance, an individual’s date of birth and postcode are quasi identifiers; each one alone is not sufficient to identify an individual, but in combination they usually are. 

For more, see the full article.

The Race For DPO Talent 
The potential (and often all-too-real) repercussions of a lax approach to data privacy mean that senior executives have a clear and present responsibility to ensure a better approach across the organization. 

The principle of responsibility will be enforced with the introduction under the GDPR of the Data Protection Officer (DPO). The DPO should be appointed by all companies whose core business operations involve large scale, regular and systematic monitoring of data subjects, or the large scale processing of sensitive personal data. The DPO must report to the highest management board and will be responsible for ensuring that the organization is compliant with data protection law. 

The International Association of Privacy Professionals (IAPP) estimates that this will lead to 75,000 new DPOs globally. Whilst an IAPP certification is not required to be a DPO, it is emerging as the dominant relevant certification. This could lead to a shortage of DPO’s, as there are currently only about 8,000 IAPP certified professionals worldwide. Further research by the IAPP and TRUSTe found that around 90% of organizations would be looking to appoint a DPO from staff internally. 
One has to ask whether internal hires will really be able to make the changes required under the new legislation. Like compliance before it, is this approach really addressing the problem or paying lip-service to the role? 

Whilst the DPO will be integral to an organization’s approach to privacy, and may own it, DPOs and CDO/CIOs need to work together on organizations’ privacy engineering strategies. 

Privacy by design, as mandated in the GDPR, promotes the incorporation of privacy and data protection compliance in the early stages of any project and throughout its lifecycle. This means that certain roles within the company will have specific responsibilities in addition to those held by the DPO, CDO and CIOs, as indicated in the matrices overleaf.

For a Digital Leadership- and Digital Competency Matrix see the full article.

Conclusion - Innovation and Safety Go Hand-in-Hand
The world is painfully waking up to privacy risk. As ever more personal information is collected, the threat to the privacy of individuals is intensifying, and customers are increasingly aware of the risks of handing over their data. 
This means that it is imperative for boards to install the tools, technologies and processes that will not only assure data protection, but help their organizations maintain a watertight reputation for that protection. 
More than a question of risk or reputation management, data security is a lynchpin of organizational evolution. Innovation is catalyzed by access to the insights sensitive data provides. Lose public trust, and the evolution of a company may be compromised.

Board Agenda: 5 Steps to Embed Privacy into the DNA of Your Business.
  1. Ensure the CIO or CDO has a clear view of the sensitive data held by the organization, and what is currently being done with it.
  2. Consider and agree upon the data needs of the business – these could include data science/analytics, innovation, development and testing, IT, research – the key is to understand who will need access to the data, and to what level.  
  3. Assess and define privacy policies -This will generally be the responsibility of the legal team, or DPO, working closely with the CIO or CDO. 
  4. Apply technical controls to mitigate privacy risk, and to bring consistency and full accountability to the governance of confidential data.
  5. Train teams about the privacy risks when handling sensitive data, and how best to manage those risks.  

Read the full article here.