Learn why the EU GDPR may actually be good for business

Learn why the EU GDPR may actually be good for business

This article was originally published on Khaleej Times

Prelude

Decision makers in the European Union (European Union, the Council & the Commission) reached an agreement in December of 2015 on something that they had been working on since 2012. This decision, as it turns out would have a major impact globally. This decision was to agree on a revised framework for data privacy, data ownership & data handling, which was meant to apply to EU & its citizens. The EU defined May of 2018 as the month when this new framework would become effective, something which had not been changed since 1995 [European Data Protection Directive (Directive 95/46/EC)].

The basic tenets of EU GDPR, or GDPR in short, are not really different from what is common knowledge, but what differs now is that it has been codified into a regulation, something which had not been done earlier. In this article, we will go through these basics & get to understand how GDPR is in fact very good for business in the long term.

Why data security is important?

This is a rhetorical question to begin with! Our constantly-connected world has increasingly become digital to an extent that now it is possible to live comfortably without having to ever step out of our homes. We can work remotely, order food from home, communicate with our loved ones digitally & shop online. There is barely any activity which cannot be performed online. This has increased the amount of digital footprint that our lives leave behind & the amount of data that is recorded, transmitted & generated about ourselves.

With this increase in digital information about everyone, it is meaningless, may be even unwise to ask why data security is important. In the pre-digital era, we would protect our offline assets, our house, our car, our paper documents, and our electronics; and in the post-digital era, when each of physical assets have been virtualized, it is expected that we need to protect our digital assets.

We do not ask why insurance is important for peace of mind of our family or why seat-belts are important for our safety or even why ensuring safety & security of our family is important! In same tone, we should stop asking why data security is important.

Pre-GDPR era

The European Union, when it took up evaluation of the European Data Protection Directive (Directive 95/46/EC) realized several logical flaws in data protection guidelines, principles & regulations.

Data collectors were effectively free to do whatever they wanted to do with it no matter who it belonged to, how it was stored, how it was handled, what was intended to be done with it. This freedom arose out of a lack of clear guidelines & boundaries, mainly since the then existing framework had not defined them well enough. This led to a culture of interpretation in manners that served their own business goals.

Another fallout of a weakly defined framework was that data collectors & data processors were unsure on exactly how data security should be implemented. While companies genuinely intended to protect their customer’s information, they were unsure about how exactly they should go about doing this. In absence of national regulations to guide them, internal policies ended up being undefined or under-defined.

And finally, a major consequence of the previous framework was that data privacy protection as a business activity became largely self-regulated. This created a conflict between business objectives & security objectives in organizations. Business objectives would frequently dominate over security objectives due a constant pressure on profitability. Many organizations which displayed clear intentions of upholding high standards of data privacy & security chose to adhere to frameworks such as ISO 27001, but without a regulatory mandate, it became a case of choice & not compulsion. The EU identified this gross failure & decided that self-regulation was clearly not the way forward.

There are several examples of global successes involving regulations making it clear as to what organizations are permitted to do & what they must avoid. Financial & Banking industry is one such case where it could not exist without such regulations.

In the domain of data security, which is a relatively newer field, Singapore’s PDPA & HIPAA from the United States of America are excellent examples. Governments of several countries have silently been working on setting up regulations which are strong enough to set up clearly defined boundaries & principles.

Impact of a Data Breach

While news of a data breach are surprising, data breaches have had significant negative impact on several organizations. The most major impact that an organization faces when a data breach happens is a permanent loss of goodwill. They become examples of data security breaches. They get quoted, over and over again, in conferences, in discussions, during audits, in training programs. This impact takes a very long time to disappear. Some examples of major data breaches and their impact are listed below. These should make it clear that data breaches are usually very costly whenever they happen.

  • Multiple data breaches in 2013 & 2014 knocked an estimated $350 million off Yahoo’s sale price in 2016 when it announced that the breach was larger than it had estimated earlier.
  • Following a breach in 2008, Heartland Payment Systems was deemed out of compliance with the Payment Card Industry Data Security Standard (PCI DSS) and was not allowed to process the payments of major credit card providers until May 2009. The company also paid out an estimated $145 million in compensation for fraudulent payments.
  • After a breach in 2013, Target’s CIO resigned in March 2014, and its CEO resigned in May. The company later estimated the cost of the breach at $162 million.
  • The data breach is believed to have cost Uber dearly in both reputation and money. At the time that the breach was announced, the company was in negotiations to sell a stake to Softbank. Initially, Uber’s valuation was $68 billion. By the time the deal closed in December, its valuation dropped to $48 billion. Not all of the drop is attributable to the breach, but analysts see it being a significant factor.
  • In 2014, Sony agreed to a preliminary $15 million settlement in a class action lawsuit over the breach that occurred in 2011.

What does GDPR expect from businesses?

GDPR is legally worded & presented, but it is easy to understand its general principles. GDPR wants businesses to care about data security of subjects, have a sense about rights of data subjects, and enforce responsibilities of the Controllers & Processors who manage & work on the data.

  • Every business activity involving someone’s data should to be lawful, fair and transparent. This is a straight-forward expectation. No business is permitted to use data illegally, unfairly or covertly.
  • What is expected to be done to someone’s data should be expected by, & known to, the person whose data it is. In other words, anyone should not be surprised with what a business does with their data.
  • Businesses should gather only necessary amount of data for the purpose of carrying out their business.
  • The data you keep must be accurate. Active involvement & engagement of data owner is recommended to maintain accuracy over a long period of time.
  • Business should only keep data for as long as it is needed. Once someone’s data is not required anymore, businesses should delete it.

Global relevance of GDPR

Owing to the fact that the EU has spent significant time & effort in evaluating changing needs of data privacy & security, following which it came up with a robust regulatory framework, several governments internationally are changing their own Data Privacy & Security Laws to reflect elements of EU GDPR within their own regulations.

This in essence makes GDPR not a Europe-specific regulation, but an international one, although implemented & enforced by various Governments.

It is commonly believed within security circles that adhering to GDPR makes an organization automatically comply with most of global standards & regulations. This belief also extends to organizations & security professionals seeing a major change in how internet behaves.

What does GDPR mean for Consumers & why it is good for business?

Consumers in general are not against the idea of sharing their personal information with businesses. Rather they dislike it & react strongly if their trust is breached, which may be because an organization did something with their data which they did not consent for, or something that they did not expect an organization to do, or something that they clearly were opposed to when sharing their data.

And consumers are especially offended when organizations take them for granted & do something that undermines their value. This last point has been sufficiently proven by the worldwide outcry following revelations of how Facebook carelessly handed over data to Cambridge Analytica without consent.

Consumers also tend to become upset when their trust is implicitly breached when organizations do not implement adequate levels of security to protect their data and which eventually leads to a breach. In such cases, consumers are usually more forgiving, as long as the organization is genuinely apologetic & takes measures to improve their security. This case has played out several times as with Sony PlayStation, Target, LinkedIn & Equifax, all being major breaches due to lower standards of security. All these organizations followed up their breach with improved standards of security.

GDPR addresses all of these issues of consumer trust by making it mandatory for organizations to ensure that proper consent is obtained, data is handled exactly as indicated, data is never handled carelessly, adequate measures of security are implemented to protect data, control of data is handed back to consumers, & data is deleted when not required anymore.

As against earlier times, when organizations decided for themselves as to what & how they handle security, EU GDPR makes it mandatory, makes it clear & makes it explicit. Organizations have a ready set of principles on how to go about handling consumer data & what are the bare minimum set of things that they need to do while dealing with data.

Organizations do not need to self-regulate anymore. Adhering to GDPR makes it easy & makes it clear. This leads to a scenario where trust levels of consumers on businesses improve automatically. Consumers now know that organizations are adhering to a set of principles & this is why they will trust them more.

Trust is good for consumers & trust is good for business.

Humans are the Weakest Link in Information Security

Humans are the Weakest Link in Information Security

This article was originally published in the September 2017 issue of CIO Review Magazine

 

Consider the following:-

  • WannaCry Ransomware (2017) exploited a vulnerability in SMBv1 Protocol of Windows, was successful due to unpatched computers. Microsoft had released a patch two months before the ransomware hit the world but many systems were infected, putting the security of their information at risk.
  • Bangladesh Bank (2016) was hit by a cyber-heist after login details of an employee were discovered and used to install malware on the bank’s system. Total loss to the bank was estimated to be at around  $81 million USD.
  • PlayStation Network Attack (2011), resulted in hackers getting access to details of 77 million users ultimately leading to a fine of GBP 250,000 on Sony, which was attributed to “poor security measures” that didn’t comply with UK’s legal requirements.

Wannacry, Bangladesh Bank, and the PlayStation Network attack are only the tip of the iceberg. As a pattern, all the attacks are only aimed at one thing: information.

Why are Humans our Weakest Link?

Given that humans make so many mistakes, it is not surprising to suppose that in the great chain of machines, we are the weakest link. The defining qualities of our species are that we are unpredictable, often irrational, easily form poor habits, are emotionally driven and in general, behave far differently than any computer system. If our objective is to protect information, then instead of being seen as a strong tool against cybernetic attacks, our humanity is the very thing making us vulnerable.

On the other hand, a computer system or any automated system for that matter is capable of following set protocols and procedures to an exacting degree of precision, repeatedly, consistently, predictably and reliably; something that is a boon to IT security. It’s only natural that we would prefer computers over humans. Info-sec professionals have become so confident in the dependability of computers that they would gladly replace their human forces with a horde of machines. A machine would make no mistakes, would never tire, it would always respond in a manner that it has been designed to. Machines would adhere to their algorithms and will only ever do what they have been taught to do.

Can Humans be our Strongest Link?

It is common to use technology in information security systems. Heuristics-based systems are employed regularly in our protective perimeter, and with the advent of AI which applies machine-learning techniques, it is only logical to assume that the future of information security lies in fully automated systems, which are capable of responding to almost all kinds of threats.

While there is no doubt that recent advances in AI have been significant and impressive, there have been some major and risky incidents in the field of AI in 2016 alone:-

  • An AI designed to predict recidivism acted racist
  • AI NPCs (Non-Playable Characters) in AI infused video game “Elite Dangerous” designed unauthorized super weapons
  • A patrol robot collided with a child
  • A developing self-driving car was involved in a deadly accident
  • Microsoft’s Teen AI designed to converse with users on Twitter became verbally abusive

While automated systems, especially the “smarter” ones have come a long way, they still tend to lack refinement. They are designed and trained by programmers until now been unable to suitably, and comprehensively, define the  “universe” of information security to them. Without a complete understanding and knowledge of this Infosec universe, it is near-impossible for a computer to deal with new and unforeseen threats. While they may be able to deal well with predictable issues, in unanticipated circumstances, they require humans for taking qualitative decisions. This is analogous to the need for human pilots in aircraft even though most of the flying is done by computers today. Those same traits of humans, which create security vulnerabilities are often a crucial necessity in the field of security.

The Right Weapon for the Right Battles

While attacks are carried out using powerful computers racked with ingenious coding, a hacker is still nothing more a malicious human; one who can think, adapt, become excited, display initiative, and be emotionally invested, just like the people defending themselves from their attacks. Consequently, it is in our best interest to fight that human with a weapon which is equipped with similar traits & qualities, albeit one that has been made stronger with the help of training & technology.

In the face of machines, there is no doubt that humans fall short in many aspects. It would be unwise to dismiss their role altogether.the purpose of all security systems should be to strengthen security by helping humans make good decisions, including them as an asset to security.

Info-censured Sustained Businesses

The strength of a product lies in serving business objectives, which is provided by build stability along with reliable information security (both intellectual & data), and effective info-sec processes which are ultimately run by humans. Clients need these to rest assured that their business continues without having to constantly worry about the next cyber-attack.

The best way to execute information security is when it remains covert, stays one step ahead of these attacks, adheres to reliable and tested security frameworks, and employs technology in a manner that permits humans to become the strongest link in the information security chain; thus allowing client business to continue uninterrupted, and for business owners to focus on their growth strategy.