Data breach notifications in GDPR are not the biggest challenges in privacy
Across the EU, and internationally, security teams are wrestling with the incoming (or pre-existing) legislation on privacy, security, data protection and mandatory data breach notification or reporting.
The EU GDPR is just one example of this, hugely detailed and prescriptive and with very far reaching consequence for organisations. In fact it touches anyone that handles personal data – including international or overseas companies that might work with, or serve, EU citizens. In parallel, the US has had data breach notification laws in several states for some time and Australia is about to augur in its own mandatory data breach reporting process.
We have blogged about this, in particular the challenges around data breach notifications and reporting incidents on a number of occasions:
The asymmetry between attackers and defenders
In a lot of ways the challenge around this relates to the difficulties in providing a truly effective and all encompassing defence against cyber threats. The asymmetry between attackers and defenders is so great that it is now widely recognised that at some point, most (if not all) organisations will suffer a breach.
The legislation therefore aims to enforce an environment where this reality is recognised and when issues occur that the relevant authority is notified and that individuals are communicated with promptly, effectively and clearly so that the regulator (the ICO in the UK or the OAIC in Australia for example) has a sound basis to ensure consumer/individual protection and can decide what response they need to launch.
For individuals, the news their data has been leaked or exposed will never be welcome – the effects might range from having to change passwords, to getting new credit/bank cards to the kind of personal impacts and/or embarrassment we have seen in past breaches from the likes of OPM, Ashley Madison or Morrison’s. The effect of breach notifications laws should be to enforce a timely detection and response so that the impacts can be minimised and the subscribers, customers, employees or patients can gain some assurance in the integrity of the process to resolve.
This means (as regular readers of this blog will know):
- the right combination of tools and technology;
- the availability of data for diagnostics and response;
- a team of the right people, with the right skills and focus;
- effective, repeatable and trustworthy processes; and
- a willingness to embrace technologies and innovation.
The BIGGER challenge: A Privacy Culture
Where the security team, and the wealth of new controls and processes they introduce to deal with cyber security breaches, will struggle is in shaping the culture of a business around the need to deal with a security breach in the interests of the data subject rather that in those of the organisation – i.e. becoming truly citizen- or customer-centric when a lapse in security is being handled.
It is a bit like sport – you can have the right training, the right nutrition, the right coaching, the right strength, skills and endurance – but if the mental attitude or determination is lacking the results probably won’t be as good as they could be.
A security culture that deals with breaches effectively is a bit like the mental attitude of the organisation – it can’t be written down or taught, it has to be enshrined.
This extends across the organisation in every way because it is not just about protecting information (in the security sense) but how it is used and valued.
Asset values – Organisation or Individual
It is difficult to assess the value of an asset, especially for an organisation. Even with intellectual property assets the costs of a breach are hard to predict. For a design of some kind it could be the cost to litigate to recover, the lost R&D investment, the loss of competitive advantage, revenue and profit or the entire ability of the company to trade. For example… https://www.theguardian.com/world/2016/oct/10/mysterious-factory-break-in-raises-suspicions-about-chinese-visit
So it is with personal data held by an organisation; the value of a customer as an account holder or subscriber (the average revenue per subscriber, ARPU), the cost of marketing and sales per newly signed up customer, the cost of discounts and fee holidays when a breach occurs and the price of identity or credit protection insurance when personal details are lost. These are only really geared around breaches – when privacy and customer data ownership are part of the culture there is a question of how data is used, shared, accessed and made available to the business as well as security, or “how it is protected”.
The challenge is that these valuations are company specific and not customer-centric – for the individual affected by a breach the impact can vary enormously depending on what data was exposed, whether the inconvenience is minor (change a password) or major (have to get new cards and sort out fraudulent payments or stolen identities) or simply irreversible (when medical details or private secrets are disclosed).
The best example would be a breach involving 1 record or 1m records. In the former case the lone affected individual might have a real fight on their hands to get the organisation to admit a problem, or to rectify the lost data or provide redress for any inconvenience; whereas a single individual in amongst a 1m record breach would expect their plight to be the subject of news reports, coverage in the cyber security press and a planned campaign of customer relationship and confidence management. So an individual might find the impact of the 1m records breach much easier to handle due to its profile, than the single record breach that affects them. Conversely of course, for the organisation losing a 1m record data set feels like a much worse event than losing a single customer file.
So how you use and value data are at least as critical as the process or remediation processes you put in place to deal with breaches when an incident occurs.
Regulation should be the minimum not the maximum
The data breach regulations in place often have a service level or time period attached. For example GDPR has an obligation to report breaches to the regulatory authority within 72 hours of detection and the affected data subjects as soon as possible.
Likewise there are criteria (somewhat subjective) around what breaches are deemed sufficiently significant to merit reporting.
The reality is though that these, much-maligned targets, should be viewed as the outer limits rather than a hurdle to scrape over. The expectations of the people affected by either a breach, the compromise of their privacy or the misuse of their data is likely to be much more onerous and immediate.
Imagine it is 9am on Monday – you find out that your data has been accessed, lost or used in some way you didn’t authorise. How long would it be before you called the company, took to Facebook, went to the “help and support” section of their web site? Certainly I think everyone would agree it would not take you until Thursday morning to get round to it… See our blog post.
So being privacy-obsessed and consumer-focussed means responding with positive reassuring messages, information updates or proactive responses long before regulation deadlines start to hit – and this doesn’t just extend to data breaches; those tend to attract publicity. A less obvious (or newsworthy) case, where data is perhaps accessed internally to derive marketing or customer insights in a way that might be legally permitted but runs counter to the unwritten ethos of trust between the organisation and the individual. In this case the ill-feeling or loss of trust again may be much more acute than the regulatory sanctions.
Work in the best interest of those affected not what serves the organisation
It is easy to view an incident response or breach crisis as a damage limitation scenario – where the recovery, return to normal service and limitation of damages, fines or costs is the priority.
As Forrester observes in the executive overview to their “Customer Trust And Privacy Playbook for 2018”:
“Consumers are increasingly aware of the value of their personal data. As a result, companies can no longer afford to dismiss customer concerns about the use of that data. Forrester believes that failure to respect customers’ data preferences will drive them to a more customer-obsessed competitor.”
So this means security and privacy of information must be driven by an acute focus on the customer throughout the lifecycle or collection, use, storage and deletion – but specifically including when privacy is impinged or when security failings lead to exposure.
In this regard security is a subset of privacy – “be careful how you use my data” will typically include “don’t let it get uploaded to pastebin by a hacker”. So there are use cases that might not constitute a data breach or security threat but which could mean privacy is under threat. For example the following story from the UK made it into the Australian press:
A delivery driver who legitimately had the contact details for a delivery customer then contacted her separately. This is a clear breach of privacy but it is harder to interpret as a security lapse as no data went anywhere it shouldn’t, it was just used (misused) for a different purpose by the legitimate holder.
This was an easily identifiable case, however, for other less overt privacy lapses, there will need to be an equivalent level of user and application activity information, audit trails, session data and access records to enable either detection or diagnosis.
This even extends to helping understand, during asset classification stages, whether information held (or designed into systems) is even necessary to collect, store and hence protect.
Collecting the ethnic origin of customers might seem useful for statistical purposes, but it lifts the privacy and security bar significantly – so unless you actually need to know the ethnic breakdown of your customer base it is easier for security and privacy purposes to just not bother collecting it.
As such we can draw a clear parallel and it becomes apparent that any solution we gear towards meeting security objectives should also be able to cope with privacy scenarios as well in its functionality.
Contrition and remorse are more valuable that confidence and assurance
There are multiple cases where crises of all types have been handled badly, not just cases of security or privacy lapse. This leaves the organisation looking callous or uncaring; and doesn’t engender any positive public opinion – like sympathy for a business that has been cruelly targeted by malicious hackers.
In many cases, the organisation itself carries the blame for a breach – and often this is fair where controls were lax or the access was gained in a fairly trivial way. However, those firms were still themselves a victim of a crime (or at the very least a breach of policy) and so there is an arguably odd precedent when they are subsequently prosecuted for effectively being at the wrong end of a sliding scale of negligence.
However, it is now routine for the organisation’s feet to be held to the fire – and so sympathetic public opinion, patience and understanding are highly valuable commodities when a breach has occurred. One doesn’t get those through bluster, obfuscation and belligerent diversion.
A customer-obsessed organisation would be firmly in the individual’s corner and could not do enough to put right a wrong. The security team need to work on that basis in terms of how they diagnose, understand and deal with a breach.
Lessons must be learned in a visible and evident way
The root cause of a data breach is sometimes clear (even publicised by the attacker) and other times less obvious. However, it is vital to find out the “how”, “why”, “where” and “when” (see our blog post) so that lessons can be learned and controls, processes or awareness can be improved.
Customers, data subjects, affected employees, investigators and (hopefully) senior management are going to want to see changes being made. The regulator or authority will also have its own views, suggestions and instructions.
But secondly, and perhaps more importantly, if suffering from a single breach – especially in extenuating circumstances – can be forgiven, getting hit twice is much harder for people to understand and put up with, even if the nature of the breaches is different.
Where does this leave Security Managers?
In short, it puts them in the front line of a war that is not of their making, and is wider than their remit to fight.
The reporting and processes, the technology, data availability and analytic capabilities that we know are necessary to deal with security threats and incident response are going to have to cover the wider gamut of privacy where it is reflected in the access or use of information.
Also the responsiveness and outcomes from security operations activities both as a norm and in terms of crisis must fit the marketing narrative and cultural posture of the organisation itself.
Hence, security teams need to think, act and equip themselves as if they are:
- at the vanguard of cyber security;
- obsessed with privacy across all areas of information management;
- passionate advocates for the customer or individual; and
- critical to the future financial success of the business.
Its not so much a challenge of dealing with a data breach when it occurs; it is more about creating a wider culture where information is MANAGED so it isn’t misused deliberately OR accidentally at all. No pressure!