The cybersecurity spotlight has been magnified, burning the unprepared

After an incredibly long hiatus, the blog is back in action.

Cybersecurity breaches, at least the public’s knowledge of them, has increased. The breaches have been happening for years, and the media spotlight has continued to increase, especially with high-profile cases involving millions of consumers’ personal data.

A couple of breaches in 2019 impacted numerous consumers:

Increasing regulation in the form of the General Data Protection Regulation (GDPR) has applied pressure far beyond previous regulations. Note that the last blog written here was published in 2013, and note that the landscape has significantly changed since then. The consequences of non-compliance can be very severe with up to 20M EUR or 4% of annual turnover, whichever is greater, being the penalty in the case of a GDPR violation. Also in force since January 1, 2020, the California Consumer Privacy Act (CCPA) can impact businesses, but it is important for any business or other organization to consider whether the activity they are carrying out even falls within the scope of these laws.

The UK ICO provides a guide on GDPR focused on UK businesses and organizations, but the principles are worth considering when controlling or processing personal data of citizens of European Economic Area (EEA) states. There will be differences that are applicable within different member states that should be considered, but for managing risk especially where a business or an organization is getting off the ground, this is a good start.

Regulations aside, attention must be focused on securing systems and eliminating any security risks that may affect the protection of personal or other data. The best deterrence to a cybersecurity breach is not operating at all, but being practical, the next best is implementing best practices in information security especially at the technical level. The administrative and organizational best practices are also incredibly important, but without the technical component, the data is at critical risk of exposure regardless of how a business or an organization is administered or operated.

E-commerce stores should consider data protection and privacy

Are you processing personal data through your website in order to faciliate commerce?  In simpler terms, are you asking customers to provide information about themselves through your website, app, or email addess, followed by using that information in order to carry out your business?

One of the questions of the self-assessment written by the Information Commissioner’s Office (ICO) states: “Do you only process personal data for staff administration, advertising, marketing or public relations, or accounts or records?”  Another states: “Do you process individuals’ information for advertising, marketing or public relations?” And: “Do you process individuals’ information for accounts or financial records?”  If the answer to any of these is ‘no,’ then you need to register with the ICOIf you are meant to register but have not, the ICO might come knocking on your door with more than just a slap on the wrist.

Of key interest to online retail store owners would be the last question about accounts and financial records, and the ICO provides guidance on this in the self-assessment:

You should answer ‘Yes’ if you:

  • only process information necessary for undertaking and managing transactions with your suppliers and customers; and 
  • only share the information with people and organisations necessary to do this. Important – if individuals give you permission to share their information, this is also allowed; and
  • keep the information while you have a relationship with the supplier or customer it refers to or as long as necessary for your accounts and financial records.

So as long as you are doing just the above, this should be sufficient, but in case of any doubt, seek legal assistance.  Just as well, the other aspects of the assessment must be met properly regarding communications (advertising, marketing, and public relations).  It may be prudent to register with the ICO voluntarily, which can indeed be considered to be a mark of integrity and credibility with customers who can have confidence their personal data is used in accordance with the law.  Don’t forget to secure your data, too.

The tipping point for data protection to become the norm

With consumer security becoming highlighted constantly in the wave of online account phishing attacks, consumers becoming further concerned their communications could be compromised, and the PR message that consumers need to “watch what they are doing online” failing to modify consumer behavior on a wide scale, the tide in secure communications is turning.

In January 2010, Google began offering secure authentication access for its search engine.  For the first time in the competitive search market, security in searches became a reality.  Google had already offered HTTPS (Hypertext Transfer Protocol Secure) support through Gmail, which major email player Hotmail added only in November.  Google has also led the way in online collaborative office work through Google Docs, which uses HTTPS to protect confidential materials.  Yahoo! Email in the United States has yet to join the bandwagon, which it ought to as allowing consumer data to flow freely around public wireless hotspots is not preferable, and consumers have been continually gaining awareness about privacy and security.

Facebook, arguably now the world’s most popular website with over 500 million users, has also been using Yahoo!’s strategy in the United States only to allow HTTPS for logging in, to protect the password.  However, and with respect to Privacy Day that passed only yesterday, Facebook has set the stage for HTTPS to become the norm by beginning its roll out of full HTTPS support throughout the Facebook website.  This is data protection compliance at its fullest, as it ensures the consumer is obtaining the highest amount of security based on current consumer and professional standards.

Most e-commerce businesses, including financial services, have an obligation to implement HTTPS onto their websites, as consumer and client information must be kept fully confidential.  With Facebook’s induction into the secure world, commerce has stepped past the tipping point in security, and any company looking to enterprise today cannot only consider security in project management, it must implement that security as well.  This has always been the case for e-commerce, financial services, health services, and generally any service intended to be confidential, but it is clear the the intention today is moving towards guaranteed confidentiality throughout the Internet.

Privacy and confusion over what deserves privacy

Work in progress, incomplete.

Certain events or trends have proven to be catalysts for major discussion or reform of the laws in place.

The most widely known catalyst to date, is the September 11, 2001 terrorist attacks in New York, Pennsylvania, and Washington, D.C.  The reaction to this catalyst continues in a very direct way with the ongoing military operations of coalition forces in Afghanistan.  In the United States at the very least, this caused a great debate as to when our civil liberties are necessary when it comes to combating international terrorism, with legislation quickly following suit, such as the USA Patriot Act.  With an active, leadership-oriented foreign policy, many other countries have followed suit with regards to counter-terrorism measures.

Issues have arisen in the United States such as the legitimacy of the Foreign Intelligence Surveillance Act to allow warrantless wiretapping, which directly affects the privacy of Internet Service Provider consumers.

However, there is a new catalyst that is emerging as a trend that has major implications for the law with regard to privacy versus expression: the proliferation of confidential materials not authorized and therefore proliferated following a breach of confidence.  Without sounding too complicated, this means there is an emerging trend in using information intended to remain private in a public sphere due to a perceived “public interest” of the private information.  Still too complicated?  Maybe this has to do with the way individuals and organizations all together are flexing their PR muscle.

There is a lack of analysis provided in the rhetoric approving or disapproving of “public interest” breaches of confidence and the proliferation of the confidential material following the initial breach by an original actor before such rhetoric is published, and this is why there are major implications for the law.  What does not help clear up the confusion on how future legislation may proceed is the silence assumed by the owner on the matter of the owner’s confidential material and whether or not the information contained is legitimate, though the silence can be there for a legitimate reason, to protect security.  It is not just because this is an emerging trend that confidentiality is breached, it is because the rhetoric floating around the airwaves may not be focusing on the exact legal and social issues at play here.  Tabloid-style rhetoric is not only unnecessary, but it is irresponsible when a serious matter is the focus of the media, such as confidential material.

What is certain is that with this emerging trend of breaches of confidence that cannot be contained by the traditional injunction, an increasing focus will be set on the consequences for breachers in the criminal justice system as well as the security applied to protect private information.