Each year brings more large-scale security and privacy breaches, leaving the general public questioning to what extent companies could be trusted with their sensitive information. Retail, health care, banking, entertainment, governments – no industry is left untouched. Security and privacy must remain top of mind within every organization as both are essential in safeguarding data, protecting brand image, and avoiding hefty fines and financial losses.
Across the US, Canada and the UK, January 28 is recognized as Data Privacy Day in an effort to raise awareness for the importance of respecting privacy, safeguarding data and enabling trust.
Spearphishing, social engineering and other exploits have only increased as the preferred method of attack. After all, why should we expect an attacker to work hard to break in when employees so often fall for scams that disclose valid credentials or download malware?
According to the 2016 Verizon DBIR “30% of phishing messages were opened by the target across all campaigns… About 12% went on to click the malicious attachment or link and thus enabled the attack to succeed.”
Think before you click is an understatement at this point.
Because these attacks are targeting employees in all business areas, we must be diligent in sharing the importance of security and privacy within our organizations. No matter how fast technology has improved, we the people continue to be the weak link in the chain when we should be the first line of defense.
Now, more than ever, it is imperative that organizations revisit and practice the concept of Privacy by Design. This is a topic touched on before, but the message remains relevant and is worth revisiting on Data Privacy Day.
Privacy by Design is composed of 7 key principles:
1.Proactive Not Reactive – Organizations must have policies, procedures and methods to identify poor security and privacy practices and address them before they become an issue.
2.Privacy as the Default Setting – Personal data should be protected in all information systems by default and not require any intervention from the individual to protect their privacy.
3.Embedded Privacy – Both privacy and security should be embedded into the design of information systems and business practices. In addition to doing security risk assessments, privacy impact assessments should be completed as well.
4.Full Functionality – Privacy should not be a tradeoff when considering full functionality of an application. Just like security, privacy should not be treated as a zero-sum game.
5.End-to-End Security, also known as Full Life Cycle Protection – This life cycle includes the following elements: collection, use, disclosure, storage & destruction.
a.Collection: only collect the minimum necessary information.
b.Use: only use personal information only in the manner that it was intended to be used. How that data will be used should also be clearly disclosed to the individual, and must be done in accordance with the appropriate country’s law. For example, in the European Union (EU) you must explicitly consent to having your personal information used for a specific marketing purpose.
c.Disclosure: only people that have a business need should be authorized to view that data. Storage and destruction must have appropriate security controls for storing sensitive data and when that personal data is no longer required having a secure means of disposing/erasing that data. This includes not retaining personal data any longer than required for its intended use.
d.Visibility and Transparency: Focus on accountability and trust. End users should be clearly informed regarding how their personal data will be used. In addition, the organization must have clear privacy policies, procedures, and someone accountable for ensuring adherence to them.
6.Respect for User Privacy – The interest of the individual providing the personal data should be considered at the forefront. When collecting data, it is necessary to have a clear means of obtaining consent, except as otherwise permitted by law. Accuracy of the data, access to what information is being retained, and a means of ensuring compliance must also be publicly communicated.
Data Privacy Day is another opportunity to revisit the recent changes to international privacy law. In 2015, we saw the demise of US – EU Safe Harbor followed by the creation of the US – EU Privacy Shield Framework and GDPR in July 2016. This will replace the EU Data Protection Directive 95/46/EC when it goes into effect in 2018. These changes are significant and have wide reaching implications to organizations that do business with the EU and have personal data of EU citizens. On January 12, 2017, the US – Swiss Privacy Shield Framework was approved.
All of these changes bring new levels of accountability and the potential of significant consequences if not taken seriously. Under these new regulations, Privacy by Design moves from being a concept that we talk about to being formally recognized and linked to enforcement. I will devote more time to GDPR in my next article.
More information is available via the following resources: https://privacyassociation.org and http://www.staysafeonline.org/data-privacy-day/about.