A New Year’s resolution for CEOs

“I am going to take cyber security seriously in 2016.”

On the whole senior executives claim that they want to act in an ethical manner. And yet if they fail to embrace cyber security they are clearly lying.

Why do I say that? Because playing fast and loose with customer data wrecks lives. It is as simple as that. Lose your customers’ data and you expose them to a major risk of identity theft – and that can and does cause people massive personal problems.

The problems that David Crouse experienced in 2010 are typical. When his identity was stolen he saw $900,000 in goods and gambling being drained from his credit card account in less than 6 months. His credit score was ruined and he spent around $100,000 trying to solve the problems.

Higher interest rates and penalty fees for missed payments just made his financial situation worse. His debts resulted in his security clearance for government work being rescinded. Having lost his job, other employers wouldn’t touch him because of his debts and credit score. He felt suicidal. “It ruined me, financially and emotionally” he said.

Data breaches frequently result in identity theft. And this can have a devastating emotional impact on the victims, as it did with David Crouse. Research from the Identity Theft Resource Center  indicates that 6% of victims actually feel suicidal while 31% experience overwhelming sadness.

The directors of any company whose negligence results in customers feeling suicidal cannot consider themselves to be ethical.

Unfortunately most data breaches that don’t involve the theft of credit card details are dismissed by corporations as being unimportant. And yet a credit card can be cancelled and replaced within hours. A stolen identity can take months, or longer, to repair.

And all sorts of data can be used to steal an identity. An email address and password; a home and office address; the names of family members; a holiday destination; a regular payment to a health club… Stolen medical records, which are highly effective if you want to steal an identity, will sell for around £20 per person online, while credit card details can be bought for as little as £1. Go figure, as they say in the USA.

Organisations must accept that any loss of customer data puts those customers in harm’s way. And if they want to be seen as ethical they must take reasonable steps to prevent data breaches. Until they do, well the EU’s new data protection rules can’t come on-stream quickly enough for me!


The EU’s General Data Protection Regulations explained

The EU’s General Data Protection Regulations (GDPR) may not be the most exciting topic on your agenda (!) but it is important as new rules to be published shortly will replace current laws on protecting personal data.

A draft was published earlier this year; it is still being discussed but it should be agreed in early 2016. It will then pass directly into law although it will be 2 years before you have to comply with it. This means you don’t have to panic until 2018. (But you should start thinking about it now.)

The rules are designed to give people control over of their personal data and to simplify the regulatory environment for business.

By the way, there is also a Network Information Security Directive aimed at curbing cyber crime. This is different: don’t get them confused!

The GDPR draft is still under discussion so the following information may change; however, the important points are likely to be as shown below.

  • Definitions:
    • Personal data is defined as ‘any information relating to a data subject’ (that’s you or me). The ICO defines it more helpfully as ‘any detail about a living individual that can be used on its own, or with other data, to identify them’. This can include photos, email addresses and perhaps even computer IP addresses
    • Processing data means pretty much anything – collecting it, storing it, analysing it, sharing it…
    • A data controller is the person who decides what can be done with personal data; often they are the people who have collected the data; they will appoint a data processor, sometimes in their organisation but often outside it
    • A data processor processes the data  on behalf of the controller; the new rules will increase responsibility on these people
  • Geography: The regulations will apply if the data controller or the data processor or the data subject is in the EU; so it applies to, say, US companies processing UK data
  • Employment data is excluded and member states can create their own rules for this
  • Fines for non-compliance will increase. The current draft proposes a maximum of Euro 1million or 2% of global turnover although there has been discussion of a higher level of Euro 100 million of 5% of global turnover. Ouch.
  • Existing data protection principles remain and these include:
    • Data processing must be fair to the person concerned, lawful (i.e. with their consent or to fulfill a contract with them) and transparent (i.e. they are able to see its results)
    • Data processing can only be for the purpose specified when the data was collected
    • Only data relevant to purpose specified can be collected
    • Data must be accurate and up to date as far as possible
    • Data can only be held as long as needed for the purpose specified, although if the data is needed for legal purposes it can be kept as long as any further processing is “limited” (i.e. you can’t carry on using it)
    • Data must be secure
  • Certain organisations must appoint a Data Protection Officer (DPO); these include:
    • Public bodies; organisations processing data from more than 5000 people; organisations employing over 250 people that process personal data; and organisations where data processing involving systematic monitoring of people is the core activity
    • DPOs will advise organisations about the rules and monitor compliance with them; they must be free to operate as they think fit (“independent”) and will need a range of skills beyond compliance monitoring: they must be able to manage IT processes (e.g. controlling access to data, retaining data), data security (including dealing with cyber-attacks) and other critical business continuity issues
    • DPOs must be offered a minimum 2 year contract term – so you can’t get rid of them if you don’t like what they are doing, unless they prove unable to perform their duties
  • When high risk activities are proposed e.g. the processing of data that could result in financial loss, identity theft, discrimination, damage to reputation, and loss of professional confidentiality, Data Protection Impact Assessments (DPIA) must be conducted
    • The DPIA must contain a description of the data and the processes used, an evaluation of any risks to the data, and description of how you propose to manage those risks
    • The local data protection authority (DPA), which in the UK would be the Information Commissioner’s Office, must authorise (or forbid) high risk data processing after reviewing the DPIA (this requirement is contentious and may be removed)
  • Data collection requires consent; consent must be opt in (“clear affirmative action”) which means you can’t have a ready-ticked opt-in box; and the opt in must be specific (not part of a wider agreement)
    • Data about minors (up to 13 years old) can only happen with the parent’s consent
    • Sensitive data (e.g. about religion, ethnicity, etc) cannot be processed
    • Consent for the use of data for “direct marketing” must be explicitly obtained; this doesn’t appear to rule out highly targeted mass marketing where people are not addressed by name – but see the next point
    • Automated profiling that could have some form of “legal effect” and which is based on (or which will predict) personal characteristics such as performance at work, economic situation, location, health, personal preferences, reliability or behaviour is forbidden unless specifically requested by the person concerned
  • Data breaches must be reported to the Data Protection Authority (the ICO) and also to the victims (unless the data was encrypted)
  • Data transfer out of the EU is only allowed under certain conditions. This means that the use of cloud computing services (such as Google Docs, Dropbox and Gmail) is likely to be problematic if personal data is involved as the data may not be secure, may not be held in the EU, or may be shared by the cloud service owner; remember this applies to “informal” cloud computing use by employees – whether or not you know about it

There are a number of things that organisations need to start thinking about in order to ensure they are compliant. Talk to a lawyer when the final wording is approved but in the meantime consider the following:

  • Identify any personal data that you hold
  • Think about how you can timestamp and put time limits on holding personal data
  • If you want to hold data for analysis purposes after you have used it for its original purpose, think about how you can anonymise it, so that it remains legal to hold (“pseudonomysing” data, e.g. by hiding personal details, so that it can be “re-personalised” at a later date won’t help)
  • Develop a system that enables you to pull off any personal data if it is requested by the relevant person
  • Formalise your data protection policies and processes – and keep records
  • Think about how you are going to manage cloud computing, and also the use of home computers, smartphones and tablets by employees: if you don’t do this then your employees may create compliance failures for you
  • Be aware of the potential of Big Data analysis techniques to create new personal data – even accidentally; for instance an anonymous record of a disability or a first name linked to a postcode could result in new personal data
  • Ensure appropriate security so that unlawful destruction or processing, such as unauthorised disclosure or access, is prevented

Take the protection of personal data privacy seriously. Compliance with the GDPR shouldn’t be a tick-box exercise. Privacy needs to be designed into your business processes for legal and ethical reasons.