As companies and individuals assess the value and future of their data, new considerations are required to assist decision making on data residency, security and storage. Good governance has never been so essential as data breaches get more attention, privacy initiatives multiply, and data protection authorities flex their muscles.
For some time, data has been compared to oil in terms of its increasing value. More recently, a number of high-profile data leaks have received headline-grabbing attention and have drawn comparisons to some scandals that beset the largest oil producers and caused devastation back in the days when the safety and security around handling such a potentially damaging commodity were far from established. Exxon Valdez and Deepwater Horizon come to mind.
Breaches – coming thick and fast
British Airways, Equifax, Marriott and Capital One are all large, successful companies – they have also suffered significant data security breaches recently that have been highlighted by the mainstream press. Capital One is the latest to surface and analysis of its infraction has attracted attention at the highest levels of the US government.
Capital One, a large US bank with a market cap of $42bn, had established an email tipping line for “white hat” hackers to warn it about system weaknesses. It received one on July 17 2019: “there appears to be some leaked s3 data of yours in someone’s github/gist.” The email had a link to an account at GitHub, a provider that facilitates the storage and management of development projects. These GitHub files led to Paige Thompson, a 33-year-old former employee of Amazon Web Services, whose online tag was “erratic” and who had actually been disclosing her action already on Twitter to other hackers. Thompson had accessed the credit card applications (think social security numbers, addresses, date of birth, income data) from 100m people in the US and six million in Canada. The data was on servers leased from Amazon Web Services, but it quickly became clear that Thompson’s former role at the same company had not given her an advantage in penetrating what was a poorly configured firewall. She had accessed the data on a number of occasions between March 12 and July 17. When the FBI seized Thompson’s computer equipment it appeared she had hacked another 30 companies in a similar way; it also seems she did not distribute or sell any of this data. She did it for fun? Or to point out how easy this is – as vast amounts of data, held by almost every business, are stored with insufficient safeguards and protection?
British Airways (BA) suffered a data breach in 2018, where the data of 500,000 customers was compromised. Once again, poor internal security enabled the unauthorised access. BA implemented an effective incident response plan, set about remediating, and also reported the breach correctly within 72 hours. It then stated its aggrievement at being fined £183m by the UK Information Commissioner’s Office, which is close to 1.5 percent of its global turnover, for a criminal act perpetrated by an outsider.
The rise of the DPA
The BA fine is a warning of things to come for all that are now subject to the new world under the General Data Protection Regulation (GDPR). BA’s fine rocked the corporate world – the highest pre-GDPR fine handed out by the UK ICO had previously been £0.5m to Facebook. The fine even dwarfs any enforcement that the UK Financial Conduct Authority has previously delivered for data security breaches. Tesco was fined £16.4m by FCA over a 2016 cyber attack where £2.26m was stolen, while Zurich got a £2.27m hit from FCA for losing data.
Other EU Data Protection Authorities (DPAs) have not been idle and have also been flexing their GDPR muscles. By August 2019, the various DPAs (France – 3; Greece; Netherlands; Turkey; Romania; Spain; Norway; Lithuania; Portugal) had collectively handed out 11 fines for a total of €2,351,500 (average fine of €213,000). Analysis of the reasons for each data security failing is insightful and includes: weak security measures; unlawful employee data processing; exposed medical records; poor technical administration; inadequate security measures; excessive video surveillance and no password protection; no audio permissions on an app; exposed login information; and incorrect authentication measures. A pattern starts to emerge – many corporates are revealing their inability to put in place some very basic security measures around confidential and common data sets. France also seems to be most active in enforcement terms.
It will be interesting to see what sort of fine Capital One receives in the US for its data disaster, but right now it has estimated that the cost of the breach will be $150m in extra customer support, which is about one tenth of quarterly profit.
GDPR goes global – it’s extra-territorial
One key point in relation to GDPR, which must not be ignored by senior management of non-EU firms, is the extra-territorial nature of the Regulation. GDPR applies to data related issues for all EU citizens wherever they reside, and when personal data is processed in the context of the business activities of a controller’s or processor’s establishment in the EU. This applies regardless of whether or not the data processing takes place in the EU.
Similarly if a company is not established in the EU, GDPR applies if the company targets individuals in the EU by offering them products or services or monitors their behavior, if that behavior takes place in the EU.
In November 2018, the European Data Protection Board published draft guidelines with a view to addressing the lack of clarity around the territorial scope of GDPR. The Guidelines explain that a key element for the application of targeting is whether the conduct of the controller or processor demonstrates an intention to offer goods or services to an individual located in the EU. Targeting criteria can only apply if controllers/processors outside of the EU have made clear an intention to establish commercial relations with individuals in the EU.
In the case of the data breaches at both BA and Marriott, while the data sets were located outside the EU, they contained data related to EU subjects and that was the GDPR trigger.
More privacy regulation on the slate
There is a slew of new legislation and initiatives related to data protection bubbling through right now, especially in the US where data activism is on the rise. GDPR might be considered the catalyst for this. Particular focus is on the imminent enactment in California of the California Consumer Privacy Act in January of 2020. It has a great deal of similarity to GDPR as regards transparency, consent and notification times. Equivalent state-based legislation has already been enacted in seven other states between 2010 and now. Bills have been introduced in 11 more states regarding consumer right of access and deletion. The data protection cavalry is coming.
Better the devil you know?
One of the key challenges for the busy compliance and monitoring team related to the new prominence of data protection requirements is the inherent conflict with more established, or some might argue higher priority, financial services regulation. The most obvious example is the obligation to satisfy the requirements to capture and monitorthe data of front office personnel who are advising clients, taking orders and committing firms/clients in the market with trades. That data needs to be captured, stored and retrievable in increasing volume as the depth of requirement under both MiFID II and the Market Abuse Regulation increases. Like icebergs colliding, GDPR and its interpretation can stymie the ability to meet these requirements. Everyone is watching and waiting as the newer privacy requirements bed in to see the extent to which consumer rights make standard monitoring more impractical. The right to be forgotten threatens to play havoc with firms’ requirements to retain data and meet future regulatory obligations. These battles are yet to play out, but everyone is eager to learn as they do.
There are already vastly different approaches to monitoring practice based on the location of the employee; Behavox roundtable attendees describe very different views on what is deemed to be “proportionate” monitoring in their satellite or head offices in countries like France, Germany and Switzerland. This is replicated in a number of countries in Asia. As one roundtable attendee described the conundrum right now, “we take the view that we have to gamble on which regulator has the sharpest teeth. Until the ICO here [UK] starts slamming firms for data breaches, we are going to keep watching the riskiest people and make sure FCA cannot accuse us of sleeping at the wheel.”
The best foot forward
The patchwork of requirements, the shifting sand, the speed of technological change – all make for a heady mix. How does the firm and its combination of CIO, CISO and technical expertise cope?
The data handlers in any firm need more connectivity with the whole business. Governance needs to take higher priority. Some ground rules can help: establish a clear definition of business purpose for capturing content; map data sources to internal controls; update consent policies to describe what communications are captured; provide transparency in how data is used/accessed/retrieved/ disposed; ensure internal systems and outside processors can respond to any inquiry; update third party security and privacy attestations/certifications; establish data retention policies mapped to known data.
The reliance on Cloud now places greater emphasis on data control and inventory; it must be well classified and accessible. Breach notification timelines of 72 hours, and the ability to respond to data requests, put a premium on a flexible and accessible storage system. Voice, video and any format that results in retention of an individual identity (like CCTV and gate analysis) just add to the complexity. Finally, the principle of “privacy by design” (where all designs from ground up are built with privacy in mind) must take in the way your vendors operate too.
Data security must get better from here
With increasing power and scrutiny, the fines and breaches are not going to dry up any time soon. The early miscreants are pointing their finger at malicious players – state actor, competitor, a lone wolf, a disgruntled employee, hardened criminal – and asking for more mercy when they have gained unauthorised access. But so far this has been all too easy and down to internal weakness rather than sophistication of attacks.
An effective approach requires a paranoid and persistent attitude. The entity doesn’t know who is at work to access its data, and these multiple invaders only need one slip from that entity to get in. The defence must be perfect and without weakness. Firms like BA will keep trying to deny blame for malicious trespass they cannot control and did not invite. Governments and regulators will not agree – if a company uses data, it has to be responsible for protecting it. That’s a duty owed to the customer and the employee. This is an inevitable cost of doing business.
Firms like Capital One and Equifax should have had more protection, and a culture of security, demanding a restless examination of their own defences. Questions need to be asked about the calibre and future of some of these big, outdated technology teams who are clinging onto relevance while proving costly and ineffective. Firms that are migrating wholesale to the cloud to facilitate innovation and reduce cost need to be investing more in their data security approach.
Despite the more aggressive enforcement related to data breaches, most individuals feel less confident that our data is going to be properly protected over time, even as corporations start to beef up their approach to data security. The competitive advantage in making the right investment? The fact that people will be loyal to the companies they believe are going to best protect their data.