privacy Archives - Cyber Secure Forum | Forum Events Ltd
Posts Tagged :

privacy

Health Tech and Personal Data: What ‘Powered by Data’ means for healthcare tech

 960 640 Stuart O'Brien
By:
0
0

By Lucy Pegler, partner, and Noel Hung, solicitor, at independent UK law firm Burges Salmon

In June 2023, the NHS launched the ‘Powered by Data’ campaign to demonstrate how use of health data delivers benefits for patients and society. The campaign draws on examples of how the responsible use of patient data can support innovation in the healthcare sector from developing new tools to support patients and helping to understand how to deliver better care.

Although framed in the context of public health services, the concept of ‘Powered by Data’ is applicable more widely to the healthcare sector. Public and private providers of healthcare whether in-person in healthcare settings or through increasingly innovative digital services, will collect data in every interaction with their patients or clients. The responsible and trustworthy use of patient data is fundamental to improve care and deliver better, safer treatment to patients. 

What is health data?

The Data Protection Act 2018 (“DPA”) defines “data concerning health” as personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveals information about their health status.

Healthcare organisations that typically manage data concerning health have an additional obligation to also maintain “genetic data” and “biometric data” to a higher standard of protection than personal data generally.

If you process (e.g. collect, store and use) health data in the UK, UK data protection laws will apply. Broadly speaking, UK data protection law imposes a set of obligations in relation to your processing of health data. These include:

  • demonstrating your lawful basis for processing health data – health data is considered special category personal data meaning that for the purposes of the UK General Data Protection Regulation, healthcare providers must demonstrate both an Article 6 and an Article 9 condition for processing data. Typically, for the processing of health data, one of the following three conditions for processing must apply:
  1. the data subject must have given “explicit consent”;
  2. processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services; or
  3. processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices.
  • transparency – being clear, open, and honest with data subjects about who you are, and how and why you use their personal data.
  • data protection by design and default – considering data protection and privacy issues from the outset and integrating data protection into your processing activities and organisation-wide business practices.
  • technical and organisational measures– taking appropriate and proportionate technical and organisational measures to manage the risks to your systems. These measures must ensure a level of security appropriate to the risk posed.
  • data mapping – understanding how data is used and held in your organisation (including carrying out frequent information audits).
  • use of data processors – only engaging another processor (a ‘sub-processor’) after receiving the controller’s prior specific or general written authorisation.

The NHS and the adult social care system have stated their commitment to upholding the public’s rights in law, including those enshrined in the DPA 2018 and the common law duty of confidentiality. These obligations extend to healthcare providers, whether NHS, local authority and private, whether through online, digital healthcare solutions or more traditional in-person settings.

The Caldicott principles

The Caldicott principles were first introduced in 1997 and have since expanded to become a set of good practice guidelines for using and keeping safe people’s health and care data.

There are eight principles that apply, and all NHS organisations and local authorities which provide social services must appoint a Caldicott guardian in place to support with keeping people’s information confidential and maintaining certain standards. Private and third sector organisations that do not deliver any publicly funded work do not need to appoint a Caldicott guardian.

However, the UK Caldicott Guardian Council (“UKCGC”) considers it best practice for any organisation that processes confidential patient information to have a Caldicott Guardian, irrespective of how they are funded.

The role of the Caldicott guardian includes ensuring that health and care information is used ethically, legally and appropriately. The principles also allow for the secure transfer of sensitive information across other agencies, for example the Social Services Education, Police and Judicial System. Further details of the principles can be found here.

The Common Law Duty of Confidentiality (“CLDC”)

Under the CLDC, information that has been obtained in confidence should not be used or disclosed further, unless the individual who originally confided such information is aware or subsequently provides their permission.

All NHS Bodies and those carrying out functions on behalf of the NHS have a duty of confidence to service users and a duty to support professional and ethical standards of confidentiality. This duty of confidence also extends to private and third-sector organisations providing healthcare services.

NHS-specific guidance

Providers who work under the NHS Standard Contract may also utilise the NHS Digital Data Security and Protection Toolkit to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled appropriately.

Furthermore, the toolkit contains a breach assessment grid to support with deciding the severity of the breach using a risk score matrix to determine whether the breach needs to be reported, which supports with reporting security incidents to the ICO, the Department of Health and Social Care and NHS England.

Health and Care Act 2022

As integrated care systems continue to develop, the new Health and Care Act 2022 introduces significant reforms to the organisation and delivery of health and care services in England. In particular, the Act makes numerous changes to NHS England (which has now subsumed NHS Digital) to require data from private health care providers when it considers it necessary or expedient for it to have such data to comply with a direction from the Secretary of State to establish an information system.

The Act also allows the Secretary of State for Health and Social Care to mandate standards for processing of information to both private and public bodies that deliver health and adult social care, so that data flows through the system in a usable way, and that when it is accessed or provided (for whatever purpose) it is in a standard form, both readable by and consistently meaningful to the user or recipient.

Benefits of sharing personal data  

Healthcare professionals have a legal duty to share information to support individual care (unless the individual objects). This is set out in the Health and Social Care Act 2012 and the Health and Social Care (Quality and Safety) Act 2015. The sharing of health and social data between NHS organisations and pharmacies could better transform the way healthcare services are provided as well as grant continuity between the various providers. Having a single point of contact with patients is what makes the healthcare system in the UK distinct from other systems around the world. In addition, patient information could be used for research purposes as well as in the development and deployment of data-driven technologies.

A note on cyber security

Given the sensitive nature of health data and patient information, healthcare providers are particularly susceptible to data breaches. In response to the UK government’s cyber security strategy to 2030, the Department of Health & Social Care published a policy paper entitled ‘A cyber resilient health and adult social care system in England: cyber security strategy to 2023’ in March 2023.

Cyber resilience is critical in the healthcare sector and providers must be able to prevent, mitigate and recover from cyber incidents. Strong cyber resilience dovetails with providers’ obligations under UK GDPR to maintain appropriate technical and organisational measure. For public providers and those providing into the public sector, a deep awareness of the DHSC’s Strategy is critical.

Consequences for failure to comply

Whilst there is a lot of focus on the maximum fines under UK GDPR of £17.5 million or 4% of the company’s total worldwide annual turnover (whichever is higher), in the context of the healthcare sector, there is also significant reputational risk in terms of both an organisation’s relationship with its patients and with its customers and supply chain. Organisations should also be aware of their potential liability resulting from claims from patients and potential contractual liability and consequences.

Photo by Irwan @blogcious on Unsplash

For data privacy, access is as vital as security 

 960 640 Guest Post
By:
0
0

By Jaeger Glucina, MD and Chief of Staff, Luminance 

If you’re in the UK, you could hardly have missed the story this summer about Nigel Farage’s public showdown with the specialist bank Coutts. What started as an apparent complaint about a lack of service being provided to Farage quickly became a significant political talking point and, ultimately, resulted in the CEO of the NatWest-owned bank resigning his position.

However, if your work sees you taking responsibility for security, compliance, and business continuity, you may need to take stock of how this story highlights an approaching risk factor that all companies need to be aware of. While the details of Coutt’s decision to drop Farage as a customer were being launched onto the newspapers’ front pages, the actual way in which Farage obtained that information remained very much a secondary story.

Those details were obtained when Farage lodged a data subject access request, or ‘DSAR’, with Coutts. This legal mechanism, introduced as part of the EU’s General Data Protection Regulation, compels organisations to identify, compile, and share every piece of information that they hold relating to an individual. This could range from basic data like names and addresses in a customer database to internal email or text conversations pertaining to them.

The purpose, as with analogous legislation like the California Consumer Privacy Act, is to tip the scales of power around matters of data and privacy back in favour of the consumer. To achieve that, there is real regulatory muscle to ensure that DSARs are acted on. Upon receipt, organisations must respond within thirty days, and non-compliance can carry a fine of up to 4% of the business’s annual global turnover.

The reputational damage that a DSAR could trigger for some businesses should, by now, be readily apparent. Even benign requests can pose a serious challenge to an organisation’s legal resource.

While the potentially punitive results of non-compliance makes DSARs a priority issue, mounting a response is not easy as you might think. The breadth of the request demands an exhaustive and wide-ranging search through information systems, including records of Slack messages and video calls as well as emails, documents, spreadsheets, and databases. At the same time, of course, our usage of such systems is ever-expanding. Every new productivity tool in an organisation’s arsenal will represent a potential landing point for sensitive data which needs to be collated, analysed and appropriately redacted in a DSAR process.

You can imagine that for legal teams this is an onerous workload which saps capacity from higher-value areas of work that drive business growth. Worse, it is a highly labour-intensive, repetitive process which few legal professionals would ideally choose to engage in. Many external firms won’t take DSAR cases on, and if one can be found the fees will likely run to tens of thousands of pounds.

All of that adds up to a growing need for a new kind of data discoverability: not just a way for businesses to oversee data siloes, but to analyse and draw from them in a highly specific way which meets strict legal criteria.

Clearly, the repetitive and precise nature of the task makes it a perfect candidate for automation. With AI, teams can rapidly cull datasets down to just those items which are likely to be relevant before identifying any personal data which needs to be excluded or redacted. In one recent rollout of the technology, this resulted in UK-based technology scale-up, proSapient, halving the time taken to respond to a DSAR and avoiding £20k in costs while maintaining the robust level of detail which GDPR compliance demands.

Any data professional out there knows that a proliferation of personal data residing in systems is an almost inevitable consequence of our modern working practices: digital tools underpin our productivity, and information about people, whether they are customers, clients, or employees, is relevant to almost any process.

Anecdotally, we know that whenever a story involving DSARs hits the headlines, businesses experience a spike of requests. The GDPR may now be half a decade old, but awareness of how it can be leveraged will only continue to grow – far past the capacity of existing tools and team structures to cope.

That means that empowering legal teams with the tools they need manage this new data reality is of paramount importance, both to safeguard the organisation’s future resilience and continuity, and to enable them to focus on delivering the levels of productivity expected from them.

Over 90% of online trackers are from Facebook, Microsoft and Google

 960 640 Stuart O'Brien
By:
0
0
93.7% of online trackers are from Facebook, Microsoft and Google, with the latter’s making up 49.9% of all trackers found on the web.
That’s according to research from Atlas VPN, which notes that Google’s YouTube and ad network Doubleclick also have a significant share of trackers online. YouTube has a 13.8% share, while Doubleclick trackers make up 8.3%.
Out of all trackers, Facebook’s trackers make up 15.7% of the share. Facebook, Atlas VPN reminds us, has suffered multiple data breaches in the past and has been involved in privacy scandals.
Microsoft’s trackers are the least common in this list, with 6% of the share. Finally, Hotjar has a 6.3% share of trackers online. Their tracker helps websites collect IP address, device type, operating system browser type, window size, and content.
Beyond trackers, other web privacy threats exist that can corrupt your safety online.
Session replay script was found in 35% of the scanned websites. This type of threat captures visitors’ journey on the website. During the recording of the user’s session, the script may also capture personal identifiable information (PII).
Fingerprinting scripts were present in 30.9% of websites. About one out of four (24.9%) websites had a newly registered domain name. Foreign actors from countries like Russia, Belarus, China, and Iran originated 9% of malicious scripts. Malware and bad SSL were each present in just 0.1% of websites.
To read the full research result, click here.

The secrets of no drama data migration

 960 640 Guest Post
By:
0
0

With Mergers, Acquisitions and Divestments at record levels, the speed and effectiveness of data migration has come under the spotlight. Every step of this data migration process raises concerns, especially in spin-off or divestment deals where just one part of the business is moving ownership. 

What happens if confidential information is accessed by the wrong people? If supplier requests cannot be processed? If individuals with the newly acquired operation have limited access to vital information and therefore do not feel part of the core buyer’s business? The implications are widespread – from safeguarding Intellectual Property, to staff morale, operational efficiency, even potential breach of financial regulation for listed companies.

With traditional models for data migration recognised to be high risk, time consuming and can potentially derail the deal, Don Valentine, Commercial Director at Absoft explains the need for a different approach – one that not only de-risks the process but adds value by reducing the time to migrate and delivering fast access to high quality, transaction level data…

Recording Breaking

2021 shattered Merger & Acquisition (M&A) records – with M&A volume hitting over$5.8 trillion globally. In addition to whole company acquisitions, 2021 witnessed announcements of numerous high-profile deals, from divestments to spin-offs and separations. But M&A performance history is far from consistent. While successful mergers realise synergies, create cost savings and boost revenues, far too many are derailed by cultural clashes, a lack of understanding and, crucially, an inability to rapidly combine the data, systems and processes of the merged operations.

The costs can be very significant, yet many companies still fail to undertake the data due diligence required to safeguard the M&A objective. Finding, storing and migrating valuable data is key, before, during, and post M&A activity. Individuals need access to data during the due diligence process; they need to migrate data to the core business to minimise IT costs while also ensuring the acquired operation continues to operate seamlessly.  And the seller needs to be 100% confident that only data pertinent to the deal is ever visible to the acquiring organisation.

Far too often, however, the data migration process adds costs, compromises data confidentiality and places significant demands on both IT and business across both organisations.

Data Objectives

Both buyer and seller have some common data migration goals. No one wants a long-drawn-out project that consumes valuable resources. Everyone wants to conclude the deal in the prescribed time. Indeed, completion of the IT integration will be part of the Sales & Purchase Agreement (SPA) and delays could have market facing implications. Companies are justifiably wary of IT-related disruption, especially any downtime to essential systems that could compromise asset safety, production or efficiency; and those in the business do not want to be dragged away from core operations to become embroiled in data quality checking exercises.

At the same time, however, there are differences in data needs that can create conflict. While the seller wants to get the deal done and move on to the next line in the corporate agenda, the process is not that simple. How can the buyer achieve the essential due diligence while meeting the seller’s need to safeguard non-deal related data, such as HR, financial history and sensitive commercial information? A seller’s CIO will not want the buying company’s IT staff in its network, despite acknowledging the buyer needs to test the solution. Nor will there be any willingness to move the seller’s IT staff from core strategic activity to manage this process.

For the buyer it is vital to get access to systems. It is essential to capture vital historic data, from stock movement to asset maintenance history. The CIO needs early access to the new system, to provide confidence in the ability to operate effectively after the transition – any concerns regarding data quality or system obsolescence need to be flagged and addressed early in the process. The buyer is also wary of side-lining key operations people by asking them to undertake testing, training and data assurance.

While both organisations share a common overarching goal, the underlying differences in attitudes, needs and expectations can create serious friction and potentially derail the data assurance process, extend the SPA, even compromise the deal.

Risky Migration

To date processes for managing finding, storing and managing data pre, during and post M&A activity have focused on the needs of the selling company. The seller provided an extract of the SAP system holding the data relevant to the agreed assets and shared that with the buyer. The buyer then had to create configuration and software to receive the data; then transform the data, and then application data migration to provide operational support for key functions such as supplier management.

This approach is fraught with risk. Not only is the buyer left blind to data issues until far too late but the entire process is time consuming. It also typically includes only master data, not the transactional history required, due to the serious challenges and complexity associated with mimicking the chronology of transactional data loading. Data loss, errors and mis-mapping are commonplace – yet only discovered far too late in the process, generally after the M&A has been completed, leaving the buyer’s IT team to wrestle with inaccuracy and system obsolescence.

More recently, different approaches have been embraced, including ‘behind the firewall’ and ‘copy/raze’.  The former has addressed some of the concerns by offering the buyer access to the technical core through a temporary separated network that houses the in-progress build of the buyer’s systems. While this avoids the need to let the buyer into the seller’s data and reduces the migration process as well as minimising errors, testing, training and data assurance, it is flawed. It still requires the build of extract and load programs and also uses only master data for the reasons stated above. It doesn’t address downtime concerns because testing and data assurance is still required. And it still demands the involvement of IT resources in non-strategic work.  Fundamentally, this approach is still a risk to the SPA timeframe – and therefore does not meet the needs of buyer or seller.

The ‘copy/raze’ approach has the benefit of providing transactional data. The seller creates an entire copy and then deletes all data relating to assets not being transferred before transferring to the buyer. However, this model requires an entire portfolio of delete programmes which need to be tested – a process that demands business input. Early visibility of the entire data resources ensures any problems that could affect the SPA can be flagged but the demands on the business are also significant – and resented.

De-risking Migration

A different approach is urgently required. The key is to take the process into an independent location. Under agreement between buyer, seller and data migration expert, the seller provides the entire technical core which is then subjected to a dedicated extract utility. Configuration is based on the agreed key deal assets, ensuring the extraction utility automatically undertakes SAP table downloads of only the data related to these assets – removing any risks associated with inappropriate data access. The process is quicker and delivers better quality assurance. Alternatively, the ‘copy/raze’ approach can be improved by placing the entire SAP system copy into escrow – essentially a demilitarised zone (DMZ) in the cloud – on behalf of both parties.  A delete utility is then used to eradicate any data not related to the deal assets – with the data then verified by the seller before the buyer has any access. Once confirmed, the buyer gains access to test the new SAP system prior to migration.

These models can be used separately and in tandem, providing a data migration solution with no disruption and downtime reduced from weeks to a weekend. The resultant SAP solution can be optimally configured as part of the process, which often results in a reduction in SAP footprint, with the attendant cost benefits.  Critically, because the buyer gains early access to the transaction history, there is no need for extensions for the SPA – while the seller can be totally confident that only the relevant data pertaining to the deal is ever visible to the buyer.

Conclusion

By embracing a different approach to data migration, organisations can not only assure data integrity and minimise the downtime associated with data migration but also reduce the entire timescale. By cutting the data due diligence and migration process from nine months to three, the M&A SPA can be significantly shorter, reducing the costs associated with the transaction while enabling the buyer to confidently embark upon new strategic plans.

Normalising data leaks: A dangerous step in the wrong direction

 960 640 Guest Post
By:
0
3

It was only recently, in early April, when it came to light that the personal data from over 500 million Facebook profiles had been compromised by a data leak in 2019. And since then, an internal Facebook email has been exposed, which was accidentally sent to a Belgian journalist, revealing the social media giant’s intended strategy for dealing with the leaking of account details from millions of users. Worryingly, Facebook believes the best approach is to ‘normalise the fact that this activity happens regularly,’ and to frame such data leaks as a ‘broad industry issue’. 

It’s true that data breaches occur everyday, and are increasingly on the rise – new research predicts there will be a cyber attack every 11 seconds in 2021, nearly twice what it was in 2019. However, this doesn’t mean that it should be normalised. Quite the opposite in fact, explains Andrea Babbs, UK General Manager, VIPRE SafeSend...

Dangerously dismissive

The statement from Facebook is a very worrying strategy to come from a business which holds the personal and business data of millions across its platforms. Particularly in the wake of increasingly stringent regulations appearing globally, it is startling for such a large organisation to casually dismiss data leaks. To give businesses an excuse to no longer invest time, money and effort in data security is a dangerous step in the wrong direction.

Personal data is a valuable currency for cyber hackers, and individuals want to ensure it is protected. Leaking this confidential data, such as medical information, credit card numbers or personally identifiable information (PII) can have far-reaching consequences for both individuals and businesses. Keeping this data safe should be businesses’ number one priority. However, data is only as safe as the strength of an organisation’s IT security infrastructure and its users’ attention to detail.

A defence on multiple fronts

If you do not have the right technology in place to keep your data safe, then you will face problems – but the same goes for having the right tools and training available to your users. Data security is a difficult and never-ending task, one which requires ongoing investments on multiple fronts by every organisation in the world.

Particularly in the wake of COVID-19, businesses have had to transition to remote working and accelerate their processes to the cloud. Moving to cloud based security which moves with your users is key. And investment in user training will become more normalised because an uneducated workforce is a big risk to an organisation’s data security efforts. 

To combat such threats, deploying a layered security approach is necessary for both small and large businesses. In today’s modern threat landscape, a data protection plan needs to include cover for both people and technology at its core. There are innovative tools available, such as VIPRE’s SafeSend, which supports busy, distracted users to double check their attachments or recipient list before sending an email to help them make more informed decisions around the security of their data. Additionally, companies need to invest in thorough and more frequent security awareness training programmes, which include phishing simulations as a key component.

We will also see a bigger move towards Zero Trust Network Access (ZTNA) tools – which only allow people to access the data they need, not the entire network. There will be an evolution in this area, and protection for a workforce ‘on the go’ will become the standard, but with the same foundational principles of investing in the right technology, and the users themselves. 

Reputation and responsibility

No matter where users are or what they are doing, keeping security front of mind will be one way to ensure good IT security hygiene for businesses. Those who have already made significant progress in this area will reap the rewards in terms of safe data and reassured customers, clients and prospects. 

Businesses that get out in front of all areas of data loss, not just attacks from bad actors, are the ones that will do well in the long term. The ability to reassure customers and prospects of the safety of their data will become the new marketing message in the coming years, which is why attempting to normalise data loss could be so damaging to Facebook’s reputation.

Cyber threats are only going to increase in sophistication and become more personalised to the individual by using social engineering attacks or fileless based attacks. Attackers are going to continue to take advantage of current events, such as COVID-19, to trick users into clicking a link, downloading an attachment or signing into a phishing website etc.

Businesses of all sizes have a responsibility to keep data secure – and users must be a part of the solution, rather than the problem. In order to do this, businesses need to place cybersecurity as a priority throughout their processes and invest in the right tools and training to make this more of a business-critical solution, and less of an ‘emerging necessity’ as it is now.

GDPR

The data dichotomy and the vital importance of effective self-regulation

 960 640 Guest Post
By:
0
6

The data privacy debate that has raged for the past decade has patently failed to meet the needs of either industry or consumers. Legislative change continues to challenge digital marketing models – and has had little impact on consumer trust: Edelman’s 2021 Trust Barometer cites an era of “information bankruptcy”, with global trust levels at an all-time low. What has to change? John Story Vice President, Deputy General Counsel Global GTM, Acoustic, EMEA, explains why effective self-regulation is a vital step in rebuilding consumer trust...

Ethical Challenge

Data privacy is once again, front and centre of the advertising and marketing debate. From the imminent demise of third-party cookies, to ever-increasing privacy regulations including GDPR, UK DPA 2018 (essentially the post-Brexit version of GDPR), and the Privacy and Electronic Communication Regulations (PECR)—as well as the latest Apple / Facebook ad tracking row–it’s easy to see how consumers and marketers alike might be scratching their heads over where, how and why data can be used.

Marketers are justified in bemoaning the impossibility of doing an effective job or meeting customers’ desires for better, more relevant and personalised messaging given the increasing constraints placed by legislative change. But the industry needs to face facts: it has been too slow and too reactive. 

Just consider the inadequate industry response to scandals such as Cambridge Analytica’s data misuse. Effective self-regulation should have become an absolute priority, yet little happened. When the industry fails to step in and address its problems, when companies sit and wait for a major issue to emerge and only then attempt to address the fall out, legislators feel they have little option but to intervene. The results are more often than not to the detriment of everyone in the ecosystem.

Effective Self-Regulation 

For marketers, consumer trust is essential to survival – and the onus is on the industry to rebuild and sustain that trust. Which is why, however the motives are perceived, Apple’s recent move is a positive step in reinvigorating the debate and, hopefully, accelerating the adoption of the effective self-regulation that will rebuild consumer trust and confidence.

Improving the way companies – of every size – notify consumers, then request and honour consent is an indispensable step in the creation of an industry that truly recognises the importance of ethical behaviour. By finding a way to convey a commitment to data privacy without confusing or overwhelming the end customer, the industry can avoid the risk of further inappropriate or clumsy legislation – legislation that is both implemented inconsistently and fails to improve consumer confidence.  

Legislation takes too long to devise and ratify – making it technologically out-of-date by the time it is enforced. Even worse, once in place, it’s incredibly hard to change. It also rarely achieves the essential change in attitude to data ethics and data privacy that’s required. Legislators may hope fines encourage organisations throughout the data ecosystem to modify behaviour, but when the culture is one of enforcement the modification in behaviour is often the minimum required to avoid future sanction.  

Take Ownership of Data Ethics

Public trust can be rebuilt and maintained if the industry takes appropriate, ethically sound, self-regulatory steps that evolve with technology and public perception. There should then be little call for regulators and governments to step in and impose stifling legislation.

However, it’s important to recognise that this affects every company, every marketer, and every MarTech provider. This is not just an issue for the large technology companies. Indeed, given the fact that Apple remains a lone voice and there has been little sign from Google or Facebook of a willingness to put effective self-regulation ahead of revenue generation goals, unless marketers and MarTech companies highlight the ethical data privacy debate and take action, change won’t occur.

This is nothing new: the marketing and advertising industry has always worked together on self-regulation – from the development of advertising standards onwards. The only change is the technological context. Abdicating responsibility for data privacy and a commitment to data ethics will only erode public trust further and lead to the imposition of additional legislation.

Conclusion

We have seen the changes that can be achieved as a result of high-profile debate. With recent concerns about hateful content and misinformation online, for example, social media providers took positive steps to self-regulate;  they recognised that working effectively together was important to create a long-term future for their platforms. The next step must be to encourage the same levels of effective self-regulation around data usage and advertising.

Apple has nudged open the debate on data privacy and data ethics. The onus is now on players throughout the industry to push that door wide. Public trust is imperative – and that means effective self-regulation and the creation of a data ecosystem built on transparency and informed consent.

STUDY: Covid-19 technologies must be regulated to stop ‘big brother’ society

 960 640 Stuart O'Brien
By:
0
0

Technologies, such as track and trace apps, used to halt the spread of covid-19 have to be thoroughly examined and regulated before they are rolled out for wider adoption, to ensure they do not normalise a big-brother-like society post-covid-19.

That’s according to research conducted by Jeremy Aroles, Assistant Professor in Organisation Studies at Durham University Business School, alongside Aurélie Leclercq-Vandelannoitte, Professor of Management of Information Systems at IÉSEG School of Management, which draws from the concept of ‘societies of control’, developed by the French philosopher Giles Deleuze, in order to analyse the technologies currently being used to tackle the covid-19 pandemic.

Whilst the study acknowledges the public health benefits of these technologies, the researchers state we must be wary of what technology is rolled out by governments and critically cross-examine these.

Dr. Aroles said: “Presented as ways to curb the immediate progression of the pandemic and improve safety, the acceptance and use of these technologies has become the new “normal” for many of us, therefore it is important that these systems of control are heavily vetted and cross-examined before being rolled out to the wider public.”

The researchers suggest three solutions regarding the development and use of covid-19-related technologies.

First, the public should question the locus of collective responsibility. Increasingly complex systems of control and surveillance have been fuelled by our reliance on technology which, the researchers say, has blurred our understanding of the boundary between “good and bad” or “right and wrong”.

Second, more must be done to raise people’s awareness of how digital technologies work, and the risks of adopting them across society. People are often, rightly, concerned over their privacy and the sharing of their data. It is therefore crucial that these technologies are transparent and actively help individuals fully understand the ramifications of the control systems they’re opting in to.

Third, given that covid-19 tracking technologies are developed by companies for the benefit of governments, it is vital that greater regulation of the partnerships between state authorities and companies is adopted. Alongside this, it is also important that counter-powers such as journalists and the public hold these partnerships to account, to ensure they do not violate the privacy of citizens for financial gain.

The researchers state that it is important the covid-19 pandemic is not utilised as an opportunity to enforce a society of control and to normalise greater surveillance. They suggest that researchers or bodies specialising in the management of information systems should be brought in to supervise the developments of digitally enabled control systems, such as covid-19 apps, and not to abandon them to companies that could violate the privacy of citizens.

Ecommerce explosion ‘opens cyber attack floodgates’

 960 640 Stuart O'Brien
By:
0
0

According to the Global Information Security Survey by Ernst and Young, customer information is the most valuable type of data for most attackers.

The threat to cybersecurity and privacy is increasing: about 6 in 10 organizations (59%) have faced a significant incident in the past 12 months, and 48% of executive boards believe that cyber attacks and data breaches will more than moderately impact their business in the next 12 months. 

Data breaches involving payment fraud and other issues related to online security have skyrocketed over the past few years, coinciding with the growth of the e-commerce industry, especially during the COVID-19 mandated quarantine regime. Measures to protect businesses and customers against cyber threats have never been more important.

One challenge that has grown for e-commerce businesses is that of open-source software vulnerabilities, according to NordVPN. Open-source software uses code that anyone can view, modify, or enhance. And while it has been hugely valuable to e-commerce businesses, it also carries a number of cybersecurity challenges.

‘’Open-source software is popular because it is often free to use or can be modified to suit the individual needs of a business. But this popularity means that any vulnerabilities found in the code can be a massive problem across a huge number of websites. Add in the changes COVID-19 has brought, and this problem has intensified a lot. Companies should really start making technical improvements to their websites fast if they want to avoid a potentially catastrophic breach. If they continue using unpatched, open-source software with vulnerabilities, they’ll leave themselves open to attacks,’’ said Juta Gurinaviciute, Chief Technology Officer at NordVPN Teams.

Another issue businesses are facing is the rise in attacks on outdated or fake plugins. When used on companies’ websites, these compromised plugins can lead to the spread of malware. One such issue is e-skimming — an attack where malware infects online checkout pages to steal payment and personal information of shoppers. E-skimming is getting more common — companies both large and small have been hit by e-skimming attacks in the past two years, and that includes big names like Macy’s, Puma, and Ticketmaster. 

Other security threats to e-commerce sites include phishing, ransomware, SQL injection, DDoS attacks, and cross-site scripting (XSS).

E-commerce websites hold a lot of valuable data about their customers, and that makes business owners a target. Customers put a lot of trust in the merchants they shop with, providing personal data and sensitive payment information with every purchase. Earning consumer trust is critical to a continued relationship. Once lost, earning it back is really hard.

Businesses are also required to meet various compliance standards, and fines can be levied if those are not met. In case of a breach, there is a whole host of other problems to address: forensic investigation, data recovery services, credit monitoring for impacted parties, and liability insurance to help mitigate this financial risk, to name just a few.E-commerce security is never a done deal. Threats and hacking methodologies evolve at an alarming rate, so maintaining awareness and a security-focused mindset is the key to staying secure. Layering multiple solutions for business security is one of the best ways to keep an online business safe against cyber attacks.

‘’Companies can start with their firewalls (including web application firewalls), making sure the connection is secure, ensuring that passwords are strong, implementing multi-factor authentication, using intrusion detection systems, and constantly monitoring and updating web platforms,’’ the NordVPN Teams expert added.

These are the key data privacy issues in 2020

 960 649 Stuart O'Brien
By:
0
1

Tuesday January 28th marked Data Privacy Day, the annual international day aimed at raising awareness of privacy and data protection issues and promoting best practices.

Here we’ve gathered up the thoughts of some leading figures from across the sector, covering everything from GDPR to biometrics and compliance, and what 2020’s priorities need to be…

Chase Buckle, Trends Manager, GlobalWebIndex

“In today’s post-Cambridge Analytica world, we’re witnessing a ground-breaking shift in consumer attitudes towards data, privacy and brand trust.

While GDPR has certainly shifted the balance of power, leading to new perspectives on consumers’ rights to share or withhold data online, 58% of UK consumers are still concerned about the internet eroding their personal data.

The increased awareness of how companies collect and use data online, also brought by events such as Data Privacy Day, has done little to alleviate concerns over online privacy more generally –  61% of UK consumers worry about how their personal data is being used by companies and 55% now prefer to be anonymous when browsing online.

This anxiety around online privacy and technology is most prevalent among younger age groups. These so-called digital natives are more conscious of the complexity of data security and technology, and are more aware of just how much they might not know around the issue. In fact, the younger the consumer, the more likely they are to say that they don’t feel in control of their personal data online, and that they just don’t understand new technology. 

Within this new digital landscape, company reputations hinge on their trust and transparency credentials over personal data. To build consumer relationships, trust has to become one of the core elements of any brand proposition.”

Nigel Hawthorn, data privacy expert, McAfee

“Over a year after the EU’s General Data Protection Regulation (GDPR) came into force, the regulatory bodies are changing their focus from guidance to full enforcement. The GDPR framework serves as a driver for organisations to revisit their current processes and take full responsibility for how they process and store personal data. As the UK leaves the EU, this legal responsibility doesn’t go away. The UK government passed the Data Protection Act 2018 to provide an equivalent law to GDPR. As we’re stepping into a new decade, we are seeing the rise of more regulations which put internet users first and a rise in the data stored in the cloud.”

“With the increasing reliance on the cloud, businesses need to be rest assured that they have complete visibility and control over data regardless of where it is. According to our latest research, 40% of large UK businesses expect to be cloud-only by 2021. What we’re going to see in 2020 is even more data and applications shifting to the cloud – and where they migrate, cybercriminals will follow.

Today, we should recognise that the age of the cloud is here. Whether businesses are cloud-only or shifting towards a cloud-first approach, the key is to make sure it isn’t an easy target for cybercriminals.”

Zachary Jarvinen, Head of Product Marketing, AI and Analytics, OpenText – “As we welcome in another Data Privacy Day, this date – and what it represents – has never been more relevant or more important.

“It’s clear that 2020 will be the year that the rest of the data privacy iceberg begins to emerge. While regulations like Europe’s GDPR and the California Consumer Privacy Act (CCPA) have already been established, new regulatory developments surrounding data privacy are continually coming to light.

“Although these regulations have their inherent differences, the general scope of data privacy laws is to give consumers the right to know how and what type of personally identifiable information (PII) is collected, and the option to take legal action in the event that they should incur damages from bias or data security breaches. In 2019, 53% of consumers stated that they would cancel a transaction if they didn’t like something in the privacy policy – more must be done this year to make sure data privacy and protection is a top priority for companies.

“Until now, most organisations have focused their efforts on structured information, but they must also be able to understand what PII is located in textual documents. Archived data, in particular, is an especially pressing concern for most enterprises. AI-powered solutions will be instrumental in locating sensitive data and managing it through automated workflows. Today, organisations will also need to establish internal data governance practices to determine who is accountable for data security and enterprise-wide policy, which may include creating teams that blend technical and regulatory expertise.

“It’s also a great time to get started with a career in the industry. Over the past four years there has been a 75% increase in jobs with “privacy” in the title. Privacy is hot. And, finally data protection is at the table for new initiatives and technology decisions.”

Simon Wood, CEO, Ubisecure  “The topic of data privacy could not be more relevant in the current cybersecurity landscape. Last year, for example, a number of headline-hitting data breaches were revealed to be a result of misplaced security design choices – demonstrating the damaging consequences of underestimating security requirements. 

“A large cause for concern here is when it comes to businesses building identity management functionality in-house. No matter how big the development team some companies may have, a lack of experience and resources in cybersecurity areas like identity management means that building such features internally comes with increased risk. Faced by tight deadlines and pressure to get applications to market as fast as possible, teams are challenged to build functionality that properly adheres to privacy by design and proven security methodology. Often, we see the impact of not doing so through the breaches that take advantage of weak authentication policies and a failure to keep data privacy central to the whole design process. 

“One way for tech leaders to solve this problem is to deploy Identity-as-a-Service (IDaaS) solutions – cloud based authentication and identity software or APIs already proven and in use in the market. Such solutions allow teams to integrate identity features into applications as securely and as seamlessly as possible, without reinventing the wheel each time. Ultimately, this on-demand expertise reduces the risk of data breaches caused by employee-led error and places data privacy at the forefront of the development process.“

Gijs Roeffen, Director IT & Security at EclecticIQ – “As data breaches continue to hit the headlines, businesses and consumers alike are becoming more and more aware of the need to protect their data. Here are a couple of simple tips to help keep your personal information secure: 

Swap PIN codes for biometrics

“When it comes to passwords and PIN codes, people are creatures of habit. People not only use the same password across multiple online accounts, they will also happily use the same PIN code for their debit card and their phone, or a generic PIN number. In fact, cybersecurity specialist Tarah Wheeler recently shared the most common PINs used by smartphone users to secure their devices, and shockingly, the most common PIN number was 1234. 

“Passcodes and PIN numbers can easily be captured from a glance over someone’s shoulder, or can be photographed or filmed from another mobile device. Biometrics, however, such as facial recognition or fingerprints, are unique to the user and can’t be obtained in either of these ways, making them a much safer option than passwords and PINs.

 Safeguard your SMS messages

“While it is possible to intercept SMS messages over the air, it requires multiple factors to be aligned to be successful. Attacks on SMS are often very targeted, since intercepting SMS codes requires specialist knowledge and hardware. 

“Using a two-factor authentication, however, is an effective means of defence against account takeover, so be sure to check your SMS is protected. Alternatively, look into using an encrypted messaging service. Encryption jumbles the content of a message into random data until it is received on the other end, so if a hacker intercepts the message, they won’t be able to view it in full. Apple’s iMessage service uses encryption, as does WhatsApp, which works across both Android and iPhone devices.”


Ashley Bill, enterprise data consultant, Micro Focus – “Fortunately, life after the General Data Protection Regulation (GDPR) has seen organisations begin to change how they think about data privacy. While avoiding regulatory fines and reputational damage is often top of mind, savvy business leaders may also see the business benefits that effective compliance can bring: the ability to generate high quality, streamlined data that can be monetised through applying predictive analytics.

“By investing in optimised data management driven by compliance, organisations can effectively increase the value of their data. It not only saves them pouring significant amounts of time into making sense of exploding datasets, but also creates an environment where teams can effectively deploy predictive analytics to make informed decisions. Using insights gleaned from quality data, companies can better predict the preferences and behaviour of their target audiences to inform and maximise the potential of marketing, advertising and product development. Ultimately, accurately predicting what customers want and remaining a step ahead of competitors is the ‘holy grail’ of business success.

“If predictive analytics is essential for boosting business outcomes, data privacy compliance is a fundamental component. And looking ahead, it will be a major driving force behind the development of modern, ethical, data-driven organisations.”

Chris Greenwood, Senior Director and General Manager UK&I at NetApp

“Data privacy has moved beyond protection and is now a question of trust. 

“We, as consumers, trust organisations to handle our data in a secure, standardised and accountable way. But with 60% of UK businesses planning to migrate apps and data to the cloud within the next year, the risks are high. Combine this with the rise of 5G, edge computing and AI bringing about entirely new and disruptive ways to use data, organisations must ensure suitable safeguards are in place, tested and updated as we begin to unravel these various possibilities.

“75% of IT leaders anticipate that security will have the largest impact on their data strategy over the next 12 months. In order for privacy to succeed, it is the duty of companies and organisations to not only understand how and why data is being used, but also have the capabilities to remedy any ethical concerns which may naturally arise as new lines are drawn on what ‘is’ versus what ‘was’ acceptable as technology becomes ever more powerful.

“This can only be achieved by being able to see, access and conscientiously use data from any and every environment whilst affording the end user the means to control how and what data is there in the first place. Only then can user privacy truly succeed.”

Malcolm Murphy, Systems Engineering Director, EMEA at Infoblox – “You hear a lot of people in the industry talking about Zero Trust. Whist it is certainly a core element of improving data protection standards, we need to be more realistic about its wide-scale implementation.

“Despite the hype, no one is actually doing ‘Zero Trust’ yet. Putting the infrastructure in place to enable organisations to verify anything and everything trying to connect to its systems before granting access is a really hard thing to do, as we can’t easily layer it onto existing technology at scale.

“As it stands, we’re nowhere near being able to implement the Zero Trust concept at a cost-effective level, and this is unlikely to change in 2020 – and our data privacy may suffer because of it.”

“This approach will remain difficult, expensive and inconvenient. I think it will take a catastrophic event or new regulation to make organisations invest in Zero Trust, it won’t happen on its own.”

Paul Farrington, EMEA CTO, Veracode“Many businesses today are software-driven and they are conscious of the role software security plays in keeping data protected. There is a greater need to ensure security is a core part of the software development process going forward. As a new data-driven decade commences, businesses should empower developers by training them on best practices in secure coding and providing the tools to enable them to find and fix vulnerabilities in their software.

“We know that unresolved vulnerabilities that pile up over time, also known as security debt, can leave organisations exposed to data breaches. Hackers will continue to look for weak points at the application layer, which is still the predominant threat vector. By shifting security left, developers are able to fix vulnerabilities faster and more effectively, improving an organisation’s overall security and ultimately better protecting sensitive data. Across Europe, more businesses are learning that they are able to adopt application security without stifling innovation.”

Elodie Dowling, EMEA General Counsel, BMC Software

“With an increasing number of data protection laws around the world, data privacy remains a very pressing topic, and businesses such as cloud service providers continue to face an array of complex and logistical challenges to adhere to across their multi-cloud infrastructure, to ensure their customers’ data remains protected.

“Over the course of the last year, there have been a large volume of data breaches being reported. Data Privacy day comes as a very timely reminder for customers and their service providers to continue to work towards updating their existing privacy standards to a compliant level, while ensuring robust security is in place to protect customer data. Most recently, European regulators have imposed £97m in data breach fines, and businesses who operate within the cloud must remain vigilant to avoid similar penalties.

“It’s important once a business starts using a variety of cloud-based services and infrastructure to regularly carry out audits to ensure that systems and services being used remain compliant with data privacy laws. Under GDPR, personal data may not be stored longer than needed for the predefined purpose. Therefore, it’s important businesses implement retention periods, whilst having the ability to delete data effectively when retention periods have expired – both for data locally stored and in the cloud.

“Companies are able to achieve better data protection in today’s IT ecosystem through four critical measures.

  1. Visibility – IT needs the tools to know where sensitive customer data resides, how it is being processed, and by whom.
  2. DevOps – teams must be aligned to maintain security and compliance.
  3. Integrity – IT must validate structured and unstructured data automatically, and ensure that stored data is intact.
  4. Recovery – Organisations must ensure data is recoverable in a timely manner in the event of any physical or technical incidents.”