“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease. Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.” – UK ICO’s Elizabeth Denham, 5th October 2016.
Day 3 – 2nd May – Breaches and Threats
TalkTalk Data Breach
The highest profile ICO case is undoubtedly the £400,000 fine against TalkTalk, close to the maximum fine of £500,000 ICO is empowered to apply, for contraventions of Data Protection Act 1998.
TalkTalk’s failure to properly protect customer data from a cyber attack resulted in a breach of personal data of 156,959 customers, including names, addresses, dates of birth, and in many cases bank account details and sort odes.
ICO found that the attack could have been prevented if TalkTalk had taken basic steps, such as infrastructure scanning (which could have uncovered vulnerable websites through which attacker accessed a customer information database), patching out-dated software (which could have fixed a bug that allowed the attacker to bypass access restrictions), installing defences against common hacking technique SQL injection used to access the data.
Cyber Security is a Board Room Issue
“Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.” – UK ICO’s Elizabeth Denham, 5th October 2016, on issuing the largest fine, £400,000 to TalkTalk.
Tone-from-the top, where the Board is highly engaged and understands what comprises information “Crown Jewels”, is a foundational building block for effective cyber risk management.
Establishing clear authorities and responsibilities, demonstrating commitment to risk mitigation, fostering risk communication are some areas where industry best practices recommend Boards oversight. TalkTalk’s data breach also emphasized that Board’s oversight of regular independent assessments is essential to identifying vulnerabilities and forming appropriate risk mitigation and incident response plans.
Simply: if it matters to the board and senior management, then it will matter to everyone else across the organisation.
All threats, all hazards
The Queen’s Speech to Parliament on the 21st June 2017 confirmed ICO’s enforcement actions highlights that Privacy intrusions and data breaches can arise, not only from Cyber Security lapses, but also exploitation of standard operation procedures.
Reflecting these emerging security themes, focused conferences are hosted as part of the International Security Expo 2018. To find out more, under the invitation of International Security Expo organizer (Peter Jones, CEO Nineteen Events), we spoke to Don Randal MBE, who is also the Bank of England’s first ever CISO on Cyber Security.
He emphasized that: ‘The key to successful prevent, detection and subsequent prosecution is to understand the motivation of the attacker. Primarily people commit crime for three reasons. One is they need to, they’re cash-strapped, poverty-ridden and in such a bad state that the only way to go forward is to cross the line and commit a crime. The others are greedy script kiddies who are in pursuit for peer recognition and want the power of a hacker, or those with an alternative motivation, the likes of terrorism.’
Addressing these motivations such as countering terrorism in the digital age increasingly forms part of the big data conversation – and how data is collected and used.
Day 4 – 3rd May – Data Protection by Design, by Default
Previously known as ‘privacy by design,’ “Data Protection by design, by default” has always been part of data protection law. Under GDPR, it is now a legal requirement.
“Taking into account the state of the art, the cost of implementation and the nature, scope, context and purpose of processing, as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organization measures such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this regulation and protect the rights of data subject” – GDPR Article 25, Para 1, Data protection by design and by default.
It covers data protection and privacy up-front, and proactively anticipates potential privacy invasion events – that is, practicing end-to-end security in the design and architecture of IT systems and business practices: Protect, Detect, Know, Response, and Recovery.
And, by default, the design and architecture of IT system and business practices should also automatically protect personal data to meet the principles of personal data processing. Recognising that 100% protection is neither practical nor effective, a risk-based approached is central to “Data Protection by design, by default”.
This means building data protection in accordance with the risk profile of the operation. One example of how GDPR views this , is the requirements on ‘high-risk’ activities, such as Data Protection Impact Assessments (DPIAs).
Day 5 – 4th May – What does it mean for Singapore?
Singapore’s Personal Data Protection Act 2012 (PDPA) came into force with the formation of the Personal Data Protection Commission.
As with the data protection acts in UK and EU, Singapore’s PDPA governs the collection, use, disclosure and care of personal data. It recognises both the rights of individuals to protect their personal data and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.
Enforcement actions have been taken against organisations as well as individuals for lax cyber security procedures, unauthorized access and failure to take reasonable security measure in documents disposals. By regulating the flow of personal data among organisations, ultimately, PDPA also aims to strengthen Singapore’s competitiveness and position.
Development of Singapore’s PDPA
The development of Singapore’s PDPA takes into account international best practices on data protections, as well as the OECD Guidelines on the Protection of Privacy and Transborder Flow of Personal Data, and the APEC Privacy Framework.
Since the introduction of GDPR, three public consultations had been conducted to seek feedback. A recent proposed change relates to how companies handle individuals’ NRIC numbers, collect the physical NRIC or a copy of it.
NRIC (The National Registration Identity Card) has been widely used in Singapore for a range of activities by consumers. PDPC acknowledged that as “The NRIC number is a permanent and irreplaceable identifier of information relating to the individual, the indiscriminate collection and use of the numbers is of special concern as it increased the risk that the NRIC numbers may be obtained and used for illegal activities such as identity theft and fraud.”
The latest guidelines addressed this concern and proposed that organisations should not collect, use or disclose an individual’s NRIC number; expect when it is required under the law or when it is necessary to identify the identity of the individual.
GDPR-ready for Singapore organisations
An organisation that does not have an establishment in the EU can still fall within the GDPR’s scope. Specifically, GDPR not only considers the location of the processing, but also the location of the individual whose data is being processed.
A Singapore e-commerce trader whose website is available in English and ships products to customers in the EU, is likely considered to be offering goods in the EU. A Singapore online behavioural advertising network or analytic company that processes personal data of say, a Singaporean living in EU to offer tailored promotions is considered monitoring data subjects in the EU.
In short, the territorial scope of GDPR means that a Singapore organisation that shares data or sells products and services within the EU, or process data subjects in EU will be subjected to GDPR. Moreover, as GDPR requires EU data controllers to only appoint GDPR-compliant processors, any Singapore organisation that provide data processing service to data controllers within the EU will need to ensure it is GDPR-ready.
Wrap-up – Privacy and Innovation
Sheer processing power and ‘big data’ are accelerating technological capabilities. With high communication speeds and falling costs of data storage and processing, innovations in the areas of mass data collection, automatic processing and algorithmic programming give rise to fraud detection, behavioural analytics, ubiquitous surveillance and so on.
Leveraging off technology for the legitimate interests and benefits for the customers and businesses promotes economic growth. Confidence and trust in the technology to securely capture, store and use information is essential to achieving this aim.
GDPR focuses organisations towards achieving this aim. While there are certainly short to medium-term costs for organisations to achieve compliance, data protection should also be seen as enabler of technological progress.
Elizabeth Denham summed this up at her keynote speech at the National Association of Data Protection and Freedom of Information Officers (NADPO) Annual Conference on 21st November 2016, “I wanted to make the point that I do not believe data protection law stands in the way of technological progress. The theme of my speech was privacy and innovation, not privacy or innovation.”
