As part of our Data Hygiene blog series, we’re launching a new series of discussions relevant to our client-base, around the issues, regulations and ethics of the exploding data economy. This week, we look at the Governance around data security, and ask what brands and organisations need to be doing to mitigate future crises.
For three weeks following Black Friday in late November last year, shoppers were busy hitting the Target store in University Heights, Ohio, USA. No less intent on getting something new for Christmas, were hackers busily hitting the shoppers themselves, by gaining access to Target’s computer systems and performing what is the possibly the largest ever breach of personal data security.
The hackers compromised the details of 40 million credit and debit card numbers, and may also have gathered personal details of a further 70 million customers, the equivalent to 29 per cent of the US population. An investigation into the breach is ongoing. The events at once put renewed emphasis on customer concerns over the security of our personal information – and highlighted the market value of data.
Jane Frost, chief exec of the Market Research Society, underlined the need for organisations to respond to the public anxieties on data. Speaking at the Personal Information Economy 2014 event, she stated that complaints about data use made to the Society were at “an all time high”.
Frost’s comments come at a time at a time in which our ability to process vast amounts of data for marketing and sales purposes is outrunning guidelines on legal and ethical practice. Current technology designed to protect personal identifiable information (PII) is no longer able to guarantee data-safety.
Big data, big business
A year after Google allegedly offered $1 billion, Facebook forked out $19 billion to snap up the mobile communications service, WhatsApp. But WhatsApp brings its own gold to the table in the form of massive swathes of user information. The acquisition happened under a blanket of promises to the app’s 400m users that their service would not be thrown to the lions of mass advertising, and earlier this week, WhatsApp CEO Jan Koum tried to further reassure users that, “privacy is hard-wired into the company.”
But $19 billion is a lot to pay, with no immediate revenue model and some pundits have waved red flags about whether Facebook will deal with the data ethically and responsibly. Given the scale of the case, the Federal Trade Commission, a key US watchdog has been keeping a keen eye on the case. However, the same cannot be said of other smaller entities that don’t share the same spotlight as Facebook.
So what happens next? While Target’s data breach claimed a director’s head, moving forward every company must clearly put a priority on maximising the integrity of its digital infrastructure, and this starts by analysing trusted systems and protocols, such as the ISO 27000 series.
However, the revelations of the Heartbleed SSL exploit shows that even ‘trusted’ systems have their backdoors – no system can be totally safe. So the game has now become an ongoing process of risk assessment and mitigation. Is then regular inventory analysis is the first step towards sustainable security protocols? Could automation of such a system allow for more responsive and efficient data risk mitigation?
Inadequacies in Industry
According to a survey commissioned by the UK Government’s Department for Business, Innovation and Skills (BIS), 36 per cent of data breaches in the UK are down to human error, which puts demands on the need for adequate staff training and education of the risks facing workers when it comes to handling data. The findings also hint towards an inadequacy in companies’ data security policies.
Experian’s 2014 Global Research report takes these findings further, identifying large areas of risk in how global companies handle data.
In response to public and industry concerns, the Market Research Society launched the Fair Data mark early in 2013. This is an accreditation scheme through which the public can discern the ethical data protection standards to which logo-bearing businesses adhere. Along with other industry-led initiatives, it’s hoped that this will disseminate appreciation of best practice regarding collection, management and storage of personal information.
Can We Trust Who’s Listening?
Aside from the cases of huge corporations such as Facebook and Google, regulatory bodies on aren’t tooled up with the resources to go after every single breach. Governance is still very much industry-led, with corporate lobbying only seeking level playing fields or to allow easier cross-border flow of business operations.
Edward Snowden is a name now synonymous with the data breach, whether for better of worse. The material that he leaked lifted the lid on a number of Government-sanctioned surveillance programmes. However, it also has had profound implications for the development of a safe data transaction partnership between the EU and the US.
Current EU data protection laws prevent companies from allowing personal information beyond the borders of the European Economic Area (EEA) without data-safety guarantees. In response, US mandarins drew up the “Safe Harbour” framework, part of a US-led initiative to meet European protection standards.
However, the potential efficacy of the framework has been called into question by a series of media reports made in the wake of Snowden’s work. In November 2013 an EU report outlined that ‘Safe Harbour’, designed to improve security for transfers of personal data to the US from the EU, had serious “deficiencies in transparency and enforcement”.
The European Parliament demanded the “immediate suspension” of the Safe Harbour framework, and also threatened withdrawal of support for the controversial Transatlantic Trade and Investment Partnership (TTIP), a potential new trade agreement between the EU and the US which is still in discussion stages.
Where to now?
Where does all this leave smaller (relative to Google and Facebook) industry players? Are we locked into a cycle of Wild West cowboy tactics with data, until bureaucracy sorts itself out? Are businesses that use data ‘ethically’ placing themselves at an industry disadvantage? Are industry-led certifications working to the benefit of both consumers and suppliers?