The past year saw the acceleration of two already important information security trends:
- the ever-increasing threat of data breaches
- a rising consumer and regulatory oversight on corporate data processing.
Indeed, the year was not a good one for privacy – high profile data breaches range from the Marriott Hotels (500 million people), through marketing firm’s Exactis (340 million), all the way into India’s national identification system (1.1 billion people).
It is little surprise that on both sides of the ocean, regulators and advocacy groups are intensifying their scrutiny. In the EU the most visible initiative was an ambitious General Data Protection Regulation with strict requirements on processing. This is secured by fines of up to 4% of global revenues of wrongdoers. In the US we have observed a number of high-profile lawsuits such as the consolidated class action against Facebook. This comes against the backdrop of more activity on the part of the Federal Trade Commission.
Privacy by Design
Data breaches are bad for both business and consumers, leading to ruined reputations, decreased trust, increased churn, and direct operational and legal expenses. On the other hand, preventing data breaches remains a challenge. Thus, the requirements on system development increase by mandating the baking-in of privacy into the Software Development Life Cycle. This is the new paradigm of Privacy by Design, also enshrined in Article 25 of the GDPR. Initially conceived by Ontario’s Information Commissioner Dr. A. Cavoukian, it consists of seven broad overarching principles:
Organizational and IT Measures
But how do those lofty principles fit in practice? They require a convergence of organizational practices and technological measures that provide for a high level of data protection. The organizational side is the more familiar one – a combination between policies, processes, and standard operating procedures is must. This is then meshed together with a strong management push and extensive training towards a privacy-friendly culture. While this is more easily said than done, implementation is still within reach for (almost) all organizations.
On the technological side, things are more complicated. While privacy-enhancing technologies (PETs) have proliferated, they remain merely pieces of the privacy puzzle. Developers and security officers do have an understanding that a combination of secure multifactor authentication, strict access controls, data encryption and tamper-free logging are important components of the security architecture. However, companies have to piece all those components together.The context and the risk assessment will call for additional ones, and then the entire solution is to be rolled out and continuously supported. Given the vast amount of human and financial resources needed, this is a formidable challenge for even large organizations, let alone the medium and small business.
This is why some businesses opt for the gray area where they implement subpar protection in the hopes that regulators, activist consumer groups or competitors will not catch up on this. This needlessly exposes them to business risk that may be massive in scope. A potential solution to this problem is to leverage a cost-efficient proprietary solution that takes care of most, if not all, of the compliance needs. External vendors leverage economies of scale and scope and can provide both cutting-edge technology and advanced legal and organizational support. We at LogSentinel are focused on providing exactly this kind of cost-efficient and powerful solutions for the small and medium businesses.
Our product SentinelDB is a fully compliant and extremely secure database on the cloud that effectively prevents data breaches. We are able to offer multiple levels of encryption, AI-driven anomaly detection, and blockchain-enabled logging capabilities, thus bringing privacy protection to the next level. Irrespective of the solution, however, businesses will need to be conscious of privacy protection if they are to continue using and generating profit from a crucial asset – personal data.