Data is Addictive

Many have claimed that data is the new oil. While organisations are leveraging the infinite possibilities of data analytics, users happily consent to the giving away of their private information – including sensitive and other personal data – in exchange for basic internet tools and services (such as email and chat) as well as targeted-ads-selling platforms (such as numerous search engines and social networks).

However, with the new EU general data protection regulation (GDPR) shortly entering into application, as well as the recent excessive personal data sharing revelations and related behavioural analytics and influencing, privacy and related human values and rights are coming into the bright spotlight. Does the GDPR and other human rights frameworks present a hindrance for businesses though?

Turning Backs on Data Absorbers

For the past period Facebook’s data scandal has been making headlines after it emerged that the social network allegedly shared information about 87 million of its users with Cambridge Analytica, a political consultancy firm, which used the data to influence presidential elections in the U.S., amongst others. A few days later, Facebook’s chief said that all its 2.2 billion users should assume that their data has been compromised by third-party apps.

The revelations have raised a wave of criticism of Facebook’s and other Data Titans’ personal data protection practices and prompted users and organisations to close their social media accounts, while governments have intensified their calls for tougher regulation and harder taxation of these data absorbers.

Solving the Riddle

While the current increased attention to on-line privacy is noteworthy, the solution to the challenge posed does not lie as much in turning our backs on social media. It does also not in only tougher regulation.

Undoubtedly, in the context of future technological developments, users, organisations and governments will face similar challenges related to the protection of users’ privacy. Therefore, in order to remain relevant and successful in this digital age, we need to get privacy, data protection and other human values rights relevant in the Digital Age, organised-well and enforced the first time around.

Understanding Privacy

Next to calls for proper enforcement of the Rule of Law, both users, customers as well as vendors and other organisations processing personal data of others (either data controller or data processor) need a better understanding of issues pertaining to security of privacy. It is essential that users become aware of the importance of their privacy and recognise its value in the on-line environment, just as they do in the physical world.

In becoming more vigilant they be supported with, should look for and give preference to fully-transparent and privacy-enhancing products, systems and services. In response, vendors need to embrace their new role as: The Custodians of Users’ Personal Data.

This also means that they should build products, systems and services with privacy & security by design and by default, as opposed to bolting those features onto existing products, systems and services. The era of build fast fixed later is over.

Privacy as a Unique Selling Point

Platforms, services providers and other vendors should communicate transparent user-centric practices and related business models to their customers. If customers accept the approach, such privacy and security features will inevitably become important enablers for building mutual trust.

Ultimately, vendors’ focus on customers’ privacy can and should serve as a unique trust point. It will provide appropriate accountable organisations with a competitive advantage opportunity, rather than posing a hindrance. The same goes for being transparent and accountable regarding other human values.

Hence, in order to remain relevant, organisations should embrace privacy, data protection and other human values, and think of them as an integral part of the business model.

Side note: Arthur’s Legal is currently running free webinar sessions on Privacy in IoT. These webinars are open to public and provide an ideal starting point for understanding and addressing privacy- and security-related issues in context of this Digital Age. Further details and sign-up form are available at http://www.arthurslegal.com/en/IoT.

State-of-the-Art Security & Privacy: Merely Needed, Continuously

For organizations around the world, implementing state-of-the-art security and personal data protection (using both technical and organizational measures) is now a must. In the wake of the recent Equifax incident, this article outlines why data security and privacy accountability is important and how organizations can responsibly manage their sensitive data.

You Got Equifax-ed!

On September 7, 2017, Equifax disclosed arguably the most severe personal data breach ever, affecting up to 145.5 million U.S. consumers, between 694,000 British consumers, and approximately 100,000 Canadian residents. The global consumer credit reporting agency announced that between March 2017 and July 2017 hackers could access consumers’ personal data, including names, social security numbers, birthdates as well as driver license numbers. Also, the details of up to 209,000 credit cards were reportedly compromised.

While previous breaches have exposed the details of more people overall, the Equifax incident is significant due to the highly sensitive nature of the leaked information. Although some of the data is of temporary nature and can easily be refreshed (such as credit card numbers), other types are more difficult to change (including addresses or social security numbers).

It’s not difficult to imagine why the leak of unchangeable “lifetime data, including customers’ names and birthdates, is extremely alarming to consumers. As a result, the incident has been followed by significant media outcry, inspired the introduction of legislation, and sparked investigations from the FTC and FBI. Not to mention the value of Equifax’s stock fell by a third in the days following the disclosure.

Another Case for Encryption

Due to the extent of the Equifax data breach, it is not surprising that it took less than two weeks for the first privacy regulator to take legal action. The attorney general of the state of Massachusetts filed a lawsuit against Equifax under to the state’s consumer protection laws.

The complaint alleges that the credit reporting agency failed to adequately secure its portal after the public disclosure of a major vulnerability in the open-source software used to build its consumer redress portal and failed to maintain multiple layers of security around consumer data. It also argues that the credit rating agency violated the law by keeping Massachusetts’ residents’ information accessible in an unencrypted form on a part of its network accessible from the internet.

Given the fact that the company collects and aggregates the information of more than 800 million individual consumers worldwide, it is disturbing to learn that encryption was not being used effectively by its IT security team in this case. The lack of encryption is even more surprising when viewed through the lens of the Equifax’s main business activities: acquiring, compiling, analyzing, and selling sensitive personal data.

The Massachusetts’ claim alleges that Equifax’s market position and business nature obliges the company to go beyond the regulations’ minimum requirements and “implement administrative, technical, and physical safeguards […] which are at least consistent with industry best practices.” As one of the most commonly used and best-practice security measures, the encryption of sensitive consumer data should have been ensured.

From What If …

What if the Equifax incident had occurred a year later?

In the first months of 2018, several important pieces of new EU legislation will go into effect, including the General Data Protection Regulation (GDPR) and the directive concerning measures for a high common level of security of network and information systems across the Union (NIS Directive). Both laws bring about significant changes in the domain of data protection and cybersecurity and introduce a new set of requirements with which companies must comply. Had the Equifax breach occurred in July 2018, the agency would likely face legal claims pursuant to GDPR and NIS Directive.

The NIS Directive aims to achieve a high common level of security of network and information systems within the EU. In doing so, its provisions apply to all providers of digital services active in the EU as well as operators of essential services active in the Union. GDPR, on the other hand, places stringent data protection and security obligations on anyone handling personal data of EU citizens.

Similar to NIS Directive, the GDPR requires companies processing personal data to implement appropriate technical and organizational measures that ensure a level of security appropriate to the risk, taking into account state-of-the-art costs, purposes, and impact. In this respect, the regulation regards encryption as one of the appropriate technical measures to be implemented. Failing to encrypt customers’ data properly, Equifax would likely be non-compliant with its relevant provisions.

GDPR also requires an organization to notify authorities within 72 hours of becoming aware of the breach, so it’s Equifax’s disclosure of the data breach more than six weeks after it occurred would certainly not comply with the obligation to notify the supervisory authority without undue delay. Once again, had the incident occurred a year later, failing to act in accordance with the law could result in Equifax being charged with penalty fees of up to 4 percent of its total worldwide annual turnover, which would amount to about EUR 130 million, per breach.

Data Protection Impact Assessment

Both breaches could have been prevented had Equifax diligently carried out the Data Protection Impact Assessment (DPIA) required by the EU GDPR. The DPIA is a legal requirement under the GDPR for organizations processing personal data in a way which is likely to result in high risk to the rights and freedoms of natural persons. Though it is not only important from the legal compliance perspective, the DPIA can also provide organizations with a systematic description of personal data processing, including special categories of data, an assessment of its necessity and processing, as well as identification of risks and the measures in place to address them.

In other words, DPIA serves as a valuable strategy and validation tool for testing and assuring data and security strategy. It provides organizations with many benefits, including the potential for structural savings, data minimization, and scalability of the business model. Hence, based on the extent of the incident it is clear that a diligently carried out DPIA would and should have raised plentiful red flags for Equifax to address.

It Could Happen to You

Given the thousands of UK and Canadian citizens who were also affected by the Equifax incident, some have claimed that the filing of the lawsuit by the Massachusetts attorney general may just be the tip of the iceberg. Indeed, it may as well be the case. At the same time, however, there remain thousands of organizations processing sensitive personal data which constitutes an essential part of their business.

Irrespective of the new legislation entering into application in 2018, if organizations have not started addressing the issues of security and protection of personal data of their customers, the Equifax saga may in the end only serve as an overture to a swiftly developing and extensive narrative featuring a growing number of unprepared characters.

You don’t know what you don’t know

Ransomware

IT teams generally use encryption to enable better security and data protection. However, in the hands of malicious parties, encryption can be utilized as a tool to prevent you from accessing your files and data. We have been aware of this kind of cyberattack for a long time, but the most recent attack by the WannaCry ransomware cryptoworm was extensive, global and on the front page.

Under any circumstance, a ransomware exploit is terrible for an organization. The preliminary impact can cause extensive downtime and may put lives and livelihoods at risk. However, in the latest attack several hospitals, banks, and telecom providers found their names mentioned in the news as well, suffering damage to their reputations and losing the trust of patients and customers alike. For a thorough summary of the events, we refer you to the many articles, opinions and other publications about the WannaCry ransomware attacks. This article covers the rarely discussed secondary effects of ransomware attacks.

Data exploits

What should you do if you discover your data has been encrypted by ransomware?

When there is a loss of data control, most IT teams immediately think of avoiding unauthorized data disclosure and ensuring all sensitive materials remain confidential. And indeed, these are sound measures.

However, what if you can retrieve your organisation’s data because a decryption tool was made available by a third-party (experts recommend strongly against paying the ransom)? One may think that business can continue as usual and it can be assumed the data was not compromised or disclosed, right?

Who touched my hamburger?

Unfortunately, if no mechanism was in place beforehand to track if the retrieved data had maintained its integrity during the ransomware timeframe, one simply does not know. Thus it will not be clear whether it has been modified, manipulated, or otherwise altered. Are you willing to still eat that hamburger?

Furthermore, one does not know whether a copy has been made, either in part or as a whole. And, if a copy was made, IT teams cannot track where it is, and whether it left regulatory data zones such as the European Union or European Economic Area.

Secondary effect of ransomware

The loss of control described above is the secondary effect of a ransomware attack, which may be even more far-reaching than the original wave. With very little information about what happened to the data during the attack, it is up to the respective data controller or data processor to perform analysis on the long-term impact to the data, data subjects, and respective stakeholders.

Under the Dutch Security Breach Notification Act (WMD), established in 2016, data integrity breaches are a trigger to initiate the notification protocols, in the same way as confidentiality breaches and availability breaches are triggers. Under Article 33 of the General Data Protection Regulation (GDPR), loss of control is also a trigger to notify the data protection authorities.

In most cases it will be very difficult to demonstrate accurately that the breach has not resulted in a risk to the rights and freedoms of the respective natural persons (or as set forth in both the GDPR and WMD, the breach must not adversely affect the data, or adversely affect the privacy of the data subject), obligating the data controller to notify the authorities.

Besides notification, what other measures should be put in place to monitor irregular activities, and for how long? The window of liability for any identity thefts resulting from the breach will remain open for quite a while, so mitigating risk should be on the top of the priority list.

Encryption

Encrypting data and maintaining the encryption keys on site would not have spared an organization from falling victim to such an attack. However, it would enable the exposure to be significantly reduced. This would allow an organization to convey, with confidence that, by maintaining the original encryption keys on-premises, they were in complete control of the data, even when it was encrypted by the attackers using another set of keys.

Accountability

The GDPR is aimed to give data control back to the data subjects. Encryption is mentioned four (4) times in the GDPR, which will enter force within one year, on 25 May 2018. It is explicitly mentioned as an example of a security measure component that enables data controllers and data processors to meet the appropriate level of state-of-the-art security measures as set forth in article 32 of the GPDR.  in real-life examples such as WannaCry and similar ransomware hacks it can also make the difference between control and loss of data, and the associated loss of trust and reputation.

The GDPR it is not about being compliant but about being accountable and ensuring up-to-date levels of protection by having layers of data protection and security in place to meet the appropriate dynamic accountability formula set forth in the GDPR. Continuously.

So, encryption can not only save embarrassing moments and loss of control after the ransomware or similar attacks, but it can also help organisations to keep data appropriately secure and therefore accountable.

 Can Technology-Centric Standards Cope With User-Centric Regulations, such as the GDPR?

 

Technology-driven change

Technology changes the world at a fast pace. Internet and web services are showing this already on a daily basis and massive scale. Technology makes innovation possible in society and in our economy. Cloud computing, data analytics and Internet of Things (IoT) will expedite this pace by hyper-connecting people, organizations and data with billions of objects.

Technology-centric versus user-centric compliance?

More and more companies and other organizations are picking up speed to explore how to benefit from digital technology. From an information security perspective, for more than a decade organisations (whether provider or customer) have taken steps and implemented organizational and technical measures in order to seek and obtain compliance and assurance regarding various international information security standards, such as the ISO 27000 series, SSAE 16 SOC series. From a technology- and process-centric perspective that makes a lot of sense.

However, with the recently adopted user-centric EU General Data Protection Regulation (GDPR), just being compliant to international or other standards is not enough and would actually mean regulatory non-compliancy. A regulation prevails over standards, and the GDPR is not a standard. Not being in full compliance to regulation such as the GDPR can now lead to enormous penalties of up to 4% of the annual global turnover. The GDPR is applicable to any organisations in the world that is active within the EU, not just EU organisations.

So, it is time for these organizations to look beyond the former comfort zone called information security and related standards. Now they must ensure true compliance with the demanding user-centric requirements set forth in the GDPR. Where standards traditionally focus on technology-centric processes and controls, regulation such as the GDPR – soon to be followed by the upcoming ePrivacy Regulation – is user-centric, including but not limited to the data subject itself and its related data and knowledge.

In this article, we will navigate you through some essentials steps to becoming GDPR compliant.

Navigation Essential Nr. 1: Personal Data Life Cycle

In the life cycle of data, most organizations are either data controllers or data processors: they create, collect, process, derive, archive and (ideally) delete data. From the perspective of data protection, information security standards focus on the company’s internal processes and technology processing the data once received or otherwise obtained. Such standards aim to ensure that data receives an appropriate level of protection within the organization’s infrastructure and is prevented from unauthorized disclosure, modification, removal or destruction.

By contrast, GDPR prioritizes the rights of the data subject (the individual), with regards to the legal basis of processing of the individual’s personal data and the legitimate purpose to do so, in each of the phases of the personal data life-cycle. By having combined both the user-centric and data-centric approach, the GDPR provides a higher benchmark for security in data processing than the current standards.

Navigation Essential Nr. 2: Data Travels

This approach makes a lot of sense and is a prerequisite if you take into account the way that data travels. Where information security was generally only aimed for internal processes and related controls, this is the age of digital data being transmitted, exchanged and otherwise processed around the world, any time, (almost) any place. Therefore information security now should be much more about data control, access, use and digital rights management.

The GDPR has taken these points into account, but most organisations (and data subjects) are not aware of the fact that data travels far beyond the organization, and may be obtained and otherwise processed far beyond the back-end servers of the organization. Think about sensors picking up a data subject and sending related personal data through devices and gateways to various web servers and then the back-end servers. This multi-dimensional element is generally not yet very much acknowledged or addressed.

Navigation Essential Nr. 3: Data Protection and Security

Likewise, GDPR takes a more stringent stance towards data protection and security requirements. While the current standards focus on determining and preventing risks by putting in place a set of internal policies, processes and controls, GDPR requires organizations to assess the level of protection from a wider perspective. The GDPR offers an equation for finding the appropriate level of protection, per purpose, per impact assessment, et cetera.

The level of having state of the art security measures (both technical and organizational) in place is the benchmark in the GDPR, where (i) the related cost of implementation, (ii) the purposes of personal data processing and (iii) the impact on the rights and freedoms of the data subject (also good, bad and worst case scenarios) need to be taken into account, whether one is either data controller or data processor. We call this the appropriate dynamic accountability (ADA) formula:

State of the art security – Costs – Purposes + Impact

Although the current information security standards aim for ‘achieving continual improvement’, the GDPR aims to ensure up-to-date levels of protection by requiring the levels of data protection and security to continuously meet the ADA formula.

Navigation Essential Nr. 4: Encryption

Encryption is mentioned four (4) times in the GDPR. It is mentioned as an example of a security measure component that enables meeting the state of the art formula requirements. Encryption of data plays an important role in ensuring security. Moreover, applying appropriate encryption can enable personal data to be securely exchanged and used in the cloud, cloud edge, IoT and other digital ecosystems while preventing unauthorized processing and access to it. While for instance the 27001:2013 requirements make no explicit references to encryption, the GDPR recognizes the benefits of encryption and prefers it as a method of facilitating the security of processing data and mitigating inherent risks, adversely effects and other negative impact.

For example, in countries that already have security breach notification regulation in place regarding personal data (such as the Netherlands) enforced by the local Data Protection Authority (DPA), encrypting personal data means that in case of a breach the data subjects do not need to be notified (other than to the DPA itself), which is a requirement if such personal data is not encrypted. Although not yet made clear by the EU data protection authorities, this is likely to be similar for breach notification required under the GDPR.

Compliance is not what it used to be

Having analyzed the state of play of international information security standards and its frameworks, we can safely conclude that GDPR raises the bar for personal data protection and related security by introducing user-centric and more specific data-centric requirements as opposed to process- and technology-oriented frameworks of standards.

Being compliant in the traditional way where compliance refers to compliancy and assurance of standards is not good enough anymore. Technology has become a highly-regulated domain in itself.

How to gear up?

Since the (2018) GDPR requirements are stricter than those of its (1995) predecessor, there is a lot to be done to ensure compliance with the GDPR before or by 25 May 2018, the date the Regulation enters into force. Organizations that are already ISO27k, SOC2 or otherwise compliant to information security standards should start performing various gap analysis and data impact assessments. In addition, organisations should (re)design and build multi-layered, interdisciplinary (data) architectures to ensure appropriate and accountable GDPR compliance and avoid those hefty penalties, which for large enterprise can amount to several billions of Euros.

The good news is that, once an organization does have those appropriate technical and organizational measures in place, it will significantly increase trustworthiness towards customers and stakeholders, and demonstrates next generation readiness.

 

                                                                          

I have written this blog at the request of was published by the European Commission: https://ec.europa.eu/digital-single-market/en/blog/iot-we-trust-technology-interoperability-security-privacy-usability-hyper-connected-world

Technology changes the world at a fast pace. Internet, digital services and cloud computing are and the living proof at a massive scale. Internet of Things technologies accelerates this process even more by hyper-connecting people, organisations and data with billions of objects.

What does the user think of all this? How are customers, users, and other stakeholders in the value chain of these vast and highly complex ecosystems going to understand, trust and use IoT products and services in a durable, trustworthy, productive, civilised and pleasant way in our society?

Trust is always one of the main challenges with any new technology and any change. Regarding IoT, customers and users will need time to adapt and to learn what the benefits are, and how to trade-off usability versus risk to a fair level. The maturity level of adequate trustworthiness will differ per IoT device, service, application and per type of use.

Think of the difference of impact between, for instance, smart wearables in sports, and smart health in hospitals. We all perceive a different trust level, right?. What about smart grids and industry 4.0 connected to critical infrastructure versus smart meters at home? Again, some issues are more important than others. Such as security and safety, or usability and personal data protection. How about smart resident services in a city versus smart augmented-reality city for tourists? Or think of smart autonomous valet parking versus high speed autonomous vehicles on the highway. Who makes the decision of your welfare and life, when a crash is imminent? How do the other vehicles react? And who developed those algorithms? What does M2M mean to you?

For each application in each field you will identify different risk profiles, usability expectations and trust levels. You can even have numerous different trust levels on one single device; just look at your mobile device and think about it. Developing and using multi-purpose devices triggers the necessity to understand the contextuality of trust.

Components of trustworthiness are security, data management, (personal) data protection as well as the way vendors, providers, customers, users and the related community will act and react in real-time. Another prerequisite of building contextual trust is taking care of customers and users with insufficient knowledge. For instance, insufficient knowledge has been established by EuroStat to be the number 1 reason for businesses not to procure paid cloud services. The IoT industry should try to avoid that the same barriers arise in the various maturing IoT markets.

I see this as one of the main roles of Alliance for Internet of Things Innovation (AIOTI). Several initiatives are ongoing in the Working Groups of the AIOTI to deep dive into these issues.

For example, recently, the AIOTI Working Groups 3 (WG3: Standardisation) and 4 (WG4: Policy) joined forces and brain power again in an AIOTI Workshop on Security and Privacy, hosted by ETSI and co-organised by the Commission, NXP and Arthur’s Legal. In this workshop the attendees, including the Commission, ENISA and other public and private sector stakeholders deep-dived into two essential components to build, strengthen and keep trust of citizens, consumers, businesses and other organisations in their connected and hyper-connected day-to-day commercial and private life.

We explored and debated in both plenary as well as expert breakout sessions whether and to what extent a minimum level of basic requirements can be identified and formulated for security and privacy in IoT that can be taken into account while thinking about a certain evidence-based trust label linked to IoT products and services (which Commission’s initiative ‘Trusted IoT Label’), while remaining open to innovation and competiveness.

Think about data control, privacy-by-default, privacy-by-design, security in IoT hardware, components, interfaces, communications and applications, and data-centric security.  Quite a few potential minimum requirements have been identified in this quest towards trustworthy IoT. We will report on this shortly.

Later this year, at the Digital Assembly 2016 we will assemble forces and brain power again, then to deep-dive into ePrivacy in IoT, where the above topics and trustworthiness of IoT will be part of the dialogue for sure.

I am convinced that initiatives such as these as well as the numerous other initiatives AIOTI has already started and plans to start the coming period, help build and foster the uptake of an useable, solid, trustworthy and fruitful digital economy and society.

One last thought for now: the best things in life are not things, so let’s aim to combine IoT with the internet of humanity (including digital inclusion) to get to the internet of human prosperity. I am keen, honoured and excited to be able to help out, and hope you will help and support the journey towards a trustworthy hyper-connected world. You are already hyper-connected so better start today!

Let’s keep in touch via social media: LinkedIn and Twitter.

I have written this blog at the request of was published by the European Commission: https://ec.europa.eu/digital-single-market/en/blog/iot-we-trust-technology-interoperability-security-privacy-usability-hyper-connected-world

The Tricky Balance between Security & Usability

There is an inherent conflict of interest between the ease of use on the one hand and security on the other.

If one makes use very open and easy, the security will be low. If the security is high, the usability will be low. And let’s not even start on connectivity and interoperability, as those concepts may look mostly impossible.

It is not realistic to expect that one can achieve maximum usability and maximum security at the same time. In basically all ecosystems, whether a product, service, building, city or community, whether physical or virtual/online, there will be a trade-off between security and usability.

Trade-offs

Example 1: Drones. It is not hard to hack a drone and watch the video streams it is broadcasting, as those feeds are – by design – meant to be easily accessible. Most feeds are totally open and unencrypted, even many military drones. This, as those drones try to make overhead video available to as many frontline soldiers as possible, also those who may not have all the security protocols available but desperately needs the feeds. It is a classic security-convenience tradeoff, as ever since drones are flying those are hacked by either side. This happened with US drones flying over Iraq, Israeli drones flying over Gaza, and so on.

Example 2: Email/Chat. Having to type in a password, proof you are not a bot by visually deciphering a visual, and then type the code you received on your mobile phone because of two-factor authentication, just to access your email or chat obviously results in higher degree of security but an extremely low degree of usability.

Example 3: Castle Moat: Although it looks quite secure, especially with exposed grounds around the high-walled castle, there are very limited ways to get in, or out. Furthermore, there is a total lack of connectivity between the castle and the surroundings. The same goes for building walls.

Open & User-Friendly Prevails, where possible

Shutting down a community or fully securing a building is not the answer, even though in some cases it may be necessary for a short while to get on one’s feet again. Whether in the physical world or digital environment. In any case, the balance between security and usability is dynamic, with the prevailing goal to try to keep it as open and user-friendly as possible. The goal is to maximally minimize the possibility of threat scenarios and maximize the accessibility of usage scenarios. It will be on a case to case and time to time basis, but there are of course good principles to use and nurture.

A usable product, service, building, city and community will be one that minimizes errors, disasters and attacks, while secure products, services, buildings, cities and communities will aim at ensuring that undesirable actions are prevented or mitigated.

Dynamic Balance

This balance may be one of the most relevant and important questions of our times, both in our online and physical communities.

The hyperconnectivity that users are pursuing, demanding and provided with, both in cities and communities anywhere in the world growing fast, and cloud computing and internet of things that truly connect humans, physical objects with global digital infrastructure and services will surely mean that this balance will be even more dynamic and will need to be continuously monitored and managed.

And remember: security + usability = durable user experience and trust.