Controversy raises issues around data security, processing and outsourcing
It is a news story reminiscent of a Philip K Dick novel: a secret data mining project by one of the world’s superpowers, covertly gathering and storing huge volumes of data on citizens and businesses all over the world, bypassing the security systems of huge multinationals. Details of the US National Security Agency’s Prism Program continue to emerge. Daily, information is disclosed by whistle-blower Edward Snowdon about the scope and use of the data collected by the NSA from tech giants such as Google, Facebook and Apple.
There has been no report to date that the data gathered by the NSA has been used for anything other than for security purposes. However the fact data has found its way to the NSA without those holding it having any knowledge must give consumers and businesses pause for thought regarding data security. Some have called for organisations to boycott the companies targeted by the NSA. Others, including EU Justice Commissioner Viviane Reding, are calling on the NSA to explain this activity. While these actions might give some comfort, in many ways they do not address the larger issues of data trust and cyber security.
Every day IT systems are hacked and data is compromised. On many occasions the businesses affected are not aware of the security breach. The motives for cyber-attacks are varied. Disclosure of the NSA Prism Program demonstrates that the motives for accessing data without knowledge and consent can be political, but motives are more often fraud, theft of IP and securing commercial secrets. Businesses, consumers and public bodies should reconsider their approach to data security, processing and outsourcing.
Over recent years the profile of the typical IT department has changed. Data is no longer stored on hardware controlled by the organisation on site. Businesses are leveraging efficiencies by outsourcing IT management. Instead of emails being held on a server in the building of a company, they may be stored in a third party cloud, and accessed through a service provider. Information is more fluid and flows in and out of organisations in many different ways and forms.
What should businesses do to protect confidential business information and the information entrusted to them? Think carefully about what companies you entrust your data to. Review the terms and conditions that apply to their services. Be sure the entities to which data processing is outsourced are incentivised by robust legal agreements to keep data secure and only used for the purposes you have mandated. Consider how data might leak from your organisation. Put strong policies in place dealing with data security and enforce those policies. Data security is a topic that should be considered at board level. Build data risk and management into your corporate governance model.
If the data your business processes includes data about living individuals, remember data protection laws will apply. These laws require you to implement appropriate technological and organisational measures to keep personal data secure. Failure to comply with these laws carries legal sanctions. Think carefully before sending your data to a jurisdiction which does not have adequate cyber security arrangements, laws protecting confidential information and data protection laws. The EU has rules which govern the disclosure and permitted uses of data about people. Once you transfer data outside of the European Economic Area, you are legally required to take steps that recognise the laws protecting data in other jurisdictions may be weaker.
Carry out periodic audits of data security measures. Undertake regular IT reviews and keep your IT security policy up to date. Review decisions to outsource data processing and storage regularly. Use the most up to date anti-virus and malware software. Maintain and implement a robust password and user privilege/access policy. Secure Wi-Fi and other communications networks.
Have a good incident or breach policy that ensures data security breaches are brought quickly to management’s attention and acted upon immediately. In some cases it will be necessary or advisable to notify the Irish Data Protection Commissioner in relation to the breach.
Unfortunately the Criminal Justice (Cybercrime and Attacks against Information Systems) Bill implementing the ratification of the Council of Europe Convention on Cybercrime and the transposition of the EU Framework Decision on attacks against Information Systems has languished in the legislative programme of successive governments.
However if you suffer a security breach, it is still a good idea to contact the Garda. While it is not possible to eliminate risk to data, risk can be managed and greatly reduced by a combination of legal arrangements and good organisational practices.
This article was first published in the Irish Times on 17 June 2013 under the title 'US data scandal highlights need for businesses to review their IT policies'.