Data protection trends 2012 to 2013 – hold onto your data, it will be a wild ride
by Mark Child │ Kingston Smith Consulting LLP
Since the publication of McKinsey Global Institute’s ‘Big data: The next frontier for innovation, competition, and productivity’ report in May 2011, businesses have adapted and innovated to take advantage of the opportunities offered by large volumes of data on customers, competitors, markets and products. Every opportunity, however, presents risks and rewards. This article discusses the key threats facing global organisations across a range of sectors over the next 12 months.
Clouded decision making on cloud computing
Cloud storage offers a number of ready-made solutions for businesses storing and sharing large amounts of data. But the right questions, need to be asked, including "where (geographically) is our data being stored?" If it is not within the European Economic Area, there are implications under the applicable data protection legislation. For example, in the UK and Northern Ireland, the Data Protection Act 1998 applies.
In any case, you must by law have proper contractual arrangements to ensure that the third party hosting your data is implementing appropriate security controls. For example, which other organisations is your cloud provider hosting data in the same cloud? Is the cloud a mixture of ‘public’ and ‘private’, for your organisation or for other users? From where does the provider intend its own staff should access the cloud for maintenance – from within Europe or outside? The security of data depends on the answers to these questions.
Examine any cloud contract to see what guarantee its gives for data availability. Even 99.9 percent availability means approximately nine hours of problems per year. For businesses working nights, weekends and public holidays, one idea may be to customise the defined peak time to avoid business interruptions. We predict the challenges arising from cloud computing to be a significant risk in the next 12 months.
It wasn’t me – third party responsibility for data losses
When formulating contingency plans regarding data loss, organisations often rely on the contractual assurances or copies of policies provided by third parties such as data processors, outsourcers or other suppliers. The latest high-profile example shows that organisations are often more vulnerable through breaches of their third parties. In February 2012 it was announced that up to 1.5 million Visa and Mastercard records were compromised because of a breach at their payment processor. But data security breaches are rarely straightforward loopholes to be closed. At the time of writing, Visa’s continuing investigations have revealed the breach could have occurred as early as June 2011 – seven months before the announcement.
Another worry is that good IT governance is often not extended, monitored or tested throughout the supply chain. According the influential ‘Data Breach Report’ published by Verizon in late 2011, 67 percent of breaches were in organisations employing between 11 and 100 people. Often the responsible person examining a third party’s controls assurance report does not possess the technical expertise to assess access controls protocols or IT architecture vulnerabilities. We predict the challenges arising from third party failures to be a significant risk in the next 12 months.
Prisoners of our own device: mobile security
Mobile computing has commenced, and is set to continue, changing the face of how many corporations do business. Many organisations are seeing mobility as a key pillar of their consumer strategy, as well as an opportunity to harness and improve business processes. These range from developing ‘apps’ on consumers’ smartphones to simple improvements such as using tablets to take patrons’ orders in restaurants.
Strategy Analytics predict the mobile media business will increase business revenues globally by 50 percent to $150m over the next 12 months. An April 2012 report, produced jointly by the UK government and the private sector for the Information Security Europe conference, estimates that only 39 percent of data downloaded by staff to tablets and mobile devices is encrypted; and that 82 percent of all companies studied had suffered security breaches caused by staff. We predict the challenges arising from mobile devices to be a significant risk in the next 12 months.
Muscle from Brussels: regulatory changes
Into 2013 and beyond, businesses handling data need to prepare for the eventual adoption by all EU members states of the updated EU Directive on Data Protection. This regime will give more power to local regulators, such as requiring mandatory notification within 24 hours of any data breach. The European Commission will also have the right to levy fines of up to 2 percent of global turnover on companies breaching EU law. Big businesses, such as Google, have indicated they won’t give up without a fight. Not all local regulators are excited, though. Speaking at the Information Security Europe conference in April 2012, the UK’s Information Commissioner stated the "last thing [the Information Commissioner’s Office] wants is to be deluged with breach notices". We predict the challenges arising from an increased regulatory burden to be a high risk in the next 12 months.