- Notification of affected individuals
- Assistance of affected individuals
- Compensation of individuals for harm and associated distress.
- Loss of customers and reputation.
- Restoration of lost data.
- Penalties from the Information Commissioner (up to €500,000)
As the saying goes, human beings are the weakest link when it comes to security. Data is often an organization’s most valuable asset. As such, it’s appropriate that information security professionals spend a large amount of their time ensuring the confidentiality, integrity, and availability of information assets.
When security professionals begin thinking about data security, they normally start thinking about the security controls used to protect data in two different states: data at rest and data in motion.
Data at rest is data stored somewhere for later use. This might be on a hard drive or a USB stick, in a cloud service or on a magnetic tape as part of a backup or archival solution. Data at rest is vulnerable to theft if an attacker gains either physical or logical access to the storage media. This might be by stealing a hard drive or hacking into an operating system that has the drive mounted. Either method can be an effective way to steal data, and information security professionals must protect against both approaches.
Data in motion is data that is moving around the network between two systems. It might be data moving from a storage location to a user’s computer or data that is simply being transmitted between two systems, such as a user entering their credit card number into a website or sending an email message. Data in motion must be protected against eavesdropping attacks because this data often travels over public networks such as the internet.
There are several things that you can do to protect your organization’s data.
First, you should have clear policies and procedures surrounding the appropriate use of data and the security controls that must be in place for sensitive information.
Second, you should use encryption to protect sensitive information when it is either at rest or in transit. Different types of encryption are appropriate for different environments. You might use file encryption to protect the data stored on a device while transport layer security might protect information being exchanged between two systems over a network.
Finally, you should use access controls to restrict access to information while it is stored on devices. You can use file system access control lists to specify who may view, modify, or delete information stored on a device.
One final note on data security. Many organizations are now beginning programs around the acquisition and analysis of big data. Simply defined, big data is the use of datasets that are much larger than those used by conventional data processing and analytic techniques.
For example, big data rarely uses relational databases because of the significant overhead involved. Instead, big data storage and analysis uses specialized technology like the key value stores of NoSQL databases. Big data storage and analysis introduces unique security concerns. Administrators must think about how this data is secured and the appropriate access to sensitive information, especially that concerning personally identifiable information.
Protecting Personal Data
Limiting data collection is the most important way that an organization can protect personal privacy. If the organization does not collect personal information in the first place, it cannot abuse, lose, or otherwise mistreat that information.
The generally accepted privacy principles require that organizations provide individuals with notice of the information that they collect, the ways that they will use it, and that the obtain the consent of individuals for that use.
This is just the first barrier to data collection. Organizations should never collect information that falls outside of the disclosures that they have made to individuals, even if it’s easy to do so or seems to be incidental to the approved purpose. If you do have a legitimate need to collect more information than you’ve disclosed, you should revise your disclosures, notifying individuals of the new information that you’re collecting and how you will use it.
Obtain new consent prior to collecting new information. When you do have a legitimate need to collect information, you have given notice and obtained consent, good security and privacy practice say that you should still collect only the minimum information needed for your disclosed purposes.
Do not collect more information than you need and do not keep that information any longer than necessary. In some cases, you may find that the technology that you use forces you to exceed this minimization principle.
For example, you might be using a web server that records more information in web access logs than you need for your disclosed analysis purposes. When that is the case, you still must disclose this collection to individuals because, after all, you are collecting the information. The difference is that if you do not have a legitimate need to keep the information, you should remove unnecessary information from those records as quickly as possible, preferably through an automated process that doesn’t require any human intervention.
The less information you keep, the better. You also have a responsibility to ensure that all of your data collection efforts use fair and lawful means of collection. Interpreting what is fair and lawful depends upon your industry and the laws and ethical practices that apply to you. You should consult your attorneys and privacy officials before beginning or modifying any data collection effort.
The bottom line is that you should make all your disclosures in plain language, make your data practices transparent, and avoid being dishonest or deceitful. In some cases you may obtain personal information about individuals from third parties, such as your business partners. In those cases you should take reasonable steps to ensure that the third party is collecting that information in accordance with privacy principles and that the third party has obtained prior permission to share it with you. Be upfront with your users about the sources of the information that you are collecting.
Many legal issues relate to personal data.
Information Commissioner’s Office give criteria for personal data:
- Can a living individual be identified by the data?
- Does the data provide information about that individual?
- Could the data be used to inform actions about an individual?
- Doe the data concentrate on the individual as its central theme?
- Does the data have the potential to impact on an individual – in personal, family, business or professional capacity?
Consequences of Loss of Data
- Identity theft.
- Loss of privacy.
- Impact on family, business, etc.
Examples of Data Losses
- 37 million personal records stolen from online ‘cheating’ site Ashley Madison.
- 7 million credit and debit card numbers stolen from TJX.
- Theft of sensitive customer data from your database.
- Customers upload illegal content.
- Cloud provider shares your data with government.
- Legal liability needs to be clear before these events happen (they will happen).