Defeat cyber risks, use the Force

Cyber risks are a real and present danger. They are often hidden and misunderstood so I wrote this article just for you. I’m also a Star Wars fan and couldn’t resist the Force.

When I think of the words “cyber risks”, I don’t think of anything immediately tangible nor anything immediately threatening. What those words, (especially together) mean to me is far more ethereal and a lot more entertaining…

My thoughts digress to a Jedi fighting a Sith, Ewoks and Jabba the Hutt. I think of Darth Vader – the famous “I am your father” scene. All very “other wordly” and “galactic”. Something a true Star Wars fan can fully and truly appreciate. But this is not Star Wars and I am no Princess Leia.

“Luke, I am your father”

Just like the “Luke I am your father” scene inevitably shocked Luke into a new reality, growing Cyber Risks are doing the same for businesses across the Globe. And that is actually my point – Is Cyber Risk really in a “Legality” far, far away or is it closer to home than we think?

What do I mean? Well I will give you some examples.

In the Price Waterhouse Cooper’s January 2016 Top Issues publication, the following was outlined

“The biggest challenge for insurers is that cyber isn’t like other risks. There is limited publicly available data on the scale and financial impact of attacks and threats are very rapidly changing and proliferating. Moreover, the fact that cyber security breaches can remain undetected for several months – even years – creates the possibility of accumulated and compounded future losses.”

And

“Cyber risks are increasingly frequent and severe, loss contagion is hard to contain, and risks are difficult to detect, evaluate, and price.”

On the Freshfields, Bruckhaus, Deringer website, a world-wide legal practice on their “Cyber crime can derail your company” page, they state the following:

“Whatever your industry, cyber security is a worldwide concern. As you hold more data, and your staff use their own devices, you can become more vulnerable to security breaches.

Those breaches can have significant legal and reputational effects upon companies. As shown by recent data breaches, and related litigation, this is not just an IT issue.”

There has even been a full article written on the Hedgeweek website entitled “Cyber security – a Global Persceptive” ,(the title alone has a sense of doom and seriousness about it). This article sets out the lengths the US Legislature is taking to ensure the protection of companies against cyber-crime, which includes the House of Representatives passing a new cybersecurity bill –

“the Protecting Cyber Networks Act (PCNA) – to allow file sharing between government intelligence agencies and private companies and raise the overall awareness of hacking.”

Cyber Risks – a clear and present danger

If it is not clear already, let me spell it out for you – cyber risks are here. It is a risk that is not only very real but one that can be truly devastating to a company should their systems and data be hacked thereby revealing company trade secrets. Can anyone say “huge liability claim”?

boss-fight-free-stock-images-image-photos-photo-photography-pie-cafe-coffee-milk-cream
Source: Boss Fight

Speaking of huge liability claims, Insurers and Re-insurers are discovering that there is a growing and real need to insure Companies across all industries against these potentially devastating risks and that means increased premiums for those Insurers and Re-insurers eager to tuck into a slice of the proverbial cyber pie. According to PWC –

“Cyber insurance is a potentially huge but still largely untapped opportunity for insurers and reinsurers. We estimate that annual gross written premiums will increase from around $2.5 billion today to $7.5 billion by the end of the decade.”

But thats Insurance and therefore inevitably a safety net should things go awry but where Law is concerned, prevention is often better than the cure.

Understanding leads to prevention

In order to even start combating Cyber Risk, we first need to understand what it actually entails. According to Kennedy’s “Cyber risks – an insurance perspective” article  cyber risks can be understood quite simply:

“Two of the most common forms of cyber risks are Cyber-attacks and data breaches. Cyber-attacks can take many forms:

Hacktivism – where a company’s website is hacked into and used as a platform to promote views.

Denial of service attacks (DoS) – when a site is bombarded with millions of emails from a bogus source, thereby blocking access to the site by legitimate users. This happened to the Amazon and PayPal sites recently, when they were forced to stop online trading as a result of DoS attacks by people protesting against the arrest of Julian Assange.

Cyber-extortion – where attackers threaten to carry out a DoS attack or to implant viruses in a company’s website or network.

Data breaches can occur as a result of human error – for instance, unencrypted data is lost or sent to the incorrect recipient – or by hackers, employees or others stealing or otherwise gaining access to sensitive data.”

A call to arms

black-and-white-sport-fight-boxer
Source: Pexels

What is abundantly clear is that this is not just an IT issue, something you can “dial a nerd” for and consider your job done. What this is, is a global risk. Something as legal practitioners we need to get ahead of. It is all well and good to have the insurers and reinsurers making their mark in this currently untapped risk market but we need to prevent the risk from happening in the first place. A seemingly daunting and almost impossible task to be sure. However with everything, you can tackle this “one bite at a time”.

With that in mind, how do we fight Cyber Risks?

  1. Identify the specific risks to the business and what needs the most protection. For example, in a company like Coke, intellectual property might be the most important asset which is vulnerable to cyber attack. For Bid or Buy, the stability of online platforms and the security of customers’ personal data may be paramount.
  2. Assess the potential consequences of the various types of possible attack. Essentially, what would the impact to the company’s reputation be, to its share price, to its goodwill? What is the litigation risk? What would be the impact on the business be if its activities were disrupted for a short or for a sustained period of time? How much risk can the business accept? This is a really important balancing act and from a legal perspective will need some risk management. For example, ensure senior management in all areas of the business are fully aware of the IT security and all the risks that potentially exist.
  3. Devise a strategy to address the identified cyber risks. This is likely to involve preparation of both a cyber risk management plan and an incident response plan. A cybersecurity review is vital.
  4. Ensure that the systems and security measures are properly and regularly tested (here you can most certainly get a hold of “dial a nerd”),
  5. Implement appropriate staff training and education. Many attempts to compromise information involve what is known as “social engineering”, which is effectively the skilful manipulation of people and human nature to trick information out of a company. Online social media platforms need to be properly monitored and staff trained here according to what they can say and what they can’t say with regards to the company online. A social media policy will most definitely be needed. Proper training can help reduce or prevent completely this type of risk.

Clearly, cyber-security is more than just tightly worded policies and endless procedures. It is a legal risk management exercise which undoubtedly entails keeping your eyes wide open, ears to the ground and your paper trail well and truly up to date -if there is any significant attack, the legal team needs to be properly armed with their trail of governance to ensure real combative steps are taken.

“May the force be with you” indeed does come to mind.

Featured image credit: Paul Jacobson, licensed CC BY NC SA 2.0

When it comes to data protection, transparency and trust are essential

Fountain Square in Downtown Cincinnati Is a Public Square That Works for the City and Its People in a Myriad of Ways: Light Rain Falls at End of Noontime Israeli Birthday Celebration 05/1973
Fountain Square in Downtown Cincinnati Is a Public Square That Works for the City and Its People in a Myriad of Ways: Light Rain Falls at End of Noontime Israeli Birthday Celebration 05/1973

When it comes to privacy, two key success factors are transparency that engenders trust. Responsible data processing is how you move from transparency to trust.

I wrote an article about this which I published on LinkedIn (it was also published on MarkLives) which I titled “Trust is more important than sales“. You may find it interesting.

A transparent approach to privacy policies

Transparent definition

Richard Beaumont’s article “Transparency Should Be the New Privacy” echoes a point I’ve also been making recently: data protection or privacy is mostly about transparency and trust. Sure, compliance is essential but from a data subject or consumer’s perspective, how transparent you are about how your process the data subject’s personal information and whether your activities engender trust are arguably as important. Achieving that requires a varied approach to data protection and one of the key elements is the document you publish about this, namely the privacy policy (also known as a “data protection policy”, “privacy statement” and other titles).

As Beaumont points out:

The website privacy policy is the basis on which organisations can claim they have received consent from customers/visitors to collect whatever data they want and do what they like with it. In a data-driven world, they are important documents. Expensive lawyers are often paid large sums of money to write them in the full knowledge that they will rarely be read. Of necessity, it is written in legalese that most people won’t fully understand, and it is long because it has to cover all eventualities.

Of course, hardly anybody reads them. In the vast majority of cases, it would be a colossal waste of time.

I don’t agree with an approach that obscures privacy policy wording by using legalese and complex language but privacy policies are typically not read and understood before data subjects share their personal information. On the other hand, Beaumont makes a number of good points about the purpose of most privacy policies:

However, the problem is not really with the privacy policy itself as a document; it is the fact that it has been mis-sold to us. We are led to believe its purpose is to inform. We are told this because consent relies on us being informed about what we are consenting to. It is the basis of almost all privacy law throughout the world.

However, if that were true, it wouldn’t be buried in a link at the bottom of the page and written in dense text that is often also in a smaller font than the rest of the site. Website designers and copywriters know how to inform people online. The privacy policy is the document on any website least likely to inform the visitor in any meaningful way.

The reality is that the privacy policy is designed to protect the owners in the case of a dispute—which is what most legal documents are designed to do. There is nothing wrong with this—these documents are necessary in certain circumstances. It’s just that they don’t fulfil the more common need for accessible information about privacy practices at the company.

He goes on to propose a “transparency policy” as an alternative to a conventional privacy policy. I don’t think we need a new term for the document except where using a new name shifts our perception of the document’s role. I’ve been reading a lot more about more visual legal documents and I like Beaumont’s suggested approach, at least in part:

The transparency statement will be short, clear and simple to understand. It might borrow from the “layered” privacy policy model and would almost certainly involve a strong visual element. It will be easily accessible and you will be encouraged to look at it, especially on a first visit. It will be the basis on which the website will set your expectations for how you and your data will be treated.

His model involves a transparency statement operating alongside a privacy policy which would give the transparency statement important “legal weight”. I don’t think this is necessary, though. I prefer some lawyers’ approach of publishing a “privacy statement” rather than a privacy policy. Although privacy policies are frequently framed as documents you, as a data subject, agree to, they can function just as well as statements of what personal information is being collected; how it is being processed and under what circumstances that personal information may be disclosed and to whom.

When I prepare privacy policies, I usually pair them with a website’s terms and conditions which invoke the privacy policy as an explanation of what personal information is processed and how. The terms and conditions then reference the privacy policy and provide the “legal weight” Beaumont refers to. In that model, a privacy policy could be reframed as a streamlined privacy statement along similar lines to Beaumont’s suggested transparency statement and lawyers. Inferring agreement with a privacy statement becomes largely unnecessary and it would only really be important to establish that data subjects agreed to the terms and conditions themselves which, in turn, would point to the privacy statement for information about personal information processing.

A streamlined privacy statement would also be better suited to more visual representations of its contents which makes them far more intelligible and, by extension, a company’s data processing activities more transparent. With more transparency comes more accountability and trust. In addition –

Because the transparency statement is also more likely to be read, commented on and engaged with, it will likely improve over time, and accepted standards might emerge. This would potentially create a virtuous circle that further improves clarity for consumers.

Emerging standards have further benefits which I find really exciting. The bottom line, though, is Beaumont’s conclusion:

Transparency statements could be the vehicle to enable the majority of people to make better-informed choices than they currently do and use a truly market-driven approach to online privacy practice.

EU and US data protection regimes compared

Phil Lee at the Privacy and Information Law Blog has a great comparison of European and American data protection regimes which is worth reading. This is particularly relevant to South Africa as the Protection of Personal Information Act places some emphasis on transferring personal information to countries with compatible data protection systems.

Your connected home knows you intimately and, soon, so will Google

Google’s business model, like many other consumer-facing companies’ business models, are changing to become far more context aware. We’re seeing that in apps that know our location and where we are going next and warn us when to leave to make it on time. That just scratches the surface and this trend can be tremendously helpful and useful if we can be sure that our personal information is not being abused or vulnerable to exploitation.

Nest cooling with leaf

Google has just announced that it intends purchasing Nest, a company that produced a connected home thermostat and smoke detector that is very well regarded in the United States. The purchase price is $3,2 billion, apparently in cash. That substantial purchase price is a pretty clear indication of the value Google places on Nest’s technology which gives its customers the ability to monitor and adjust their home environment. One of the implications of this purchase is that Google could soon have far deeper insights into what Nest’s customers are doing in their homes.

Although this is arguably a trend that is only going to grow, the question to ask is whether companies reaching into customers’ most intimate spaces have adequate protections in place to protect their personal data? Here is an one possible integration (no announcements about integrations yet so this is speculation) from Stacey Higgenbotham writing for GigaOm in her article titled “When Google closes the Nest deal, privacy issues for the internet of things will hit the big time“:

As a user of Google Now, the contextual service that tells me when to leave my house to make it to my next appointment in time, I see no reason Google couldn’t also tell my thermostat to cycle down before I actually leave. Or, based on my movements in my home, Google could start screening my calls. If I’m in the bedroom and motionless maybe Google could block the work calls from my colleague Om Malik.

Google’s business model, like many other consumer-facing companies’ business models, are changing to become far more context aware. We’re seeing that in apps that know our location and where we are going next and warn us when to leave to make it on time. That just scratches the surface and this trend can be tremendously helpful and useful if we can be sure that our personal information is not being abused or vulnerable to exploitation. As Higgenbotham points out –

Nest and the products the company builds could help provide ever more contextual clues to Google that it can use to help make your life better and even save you money. But in doing so we need to hold it, and other companies seeking to enter the connected home market, to a well-defined set of standards around data security and privacy. That means the industry and the regulators need to move past this impasse: where the internet of things is awesome but will also kill you because strangers can hack into your home and control your medical devices.

Don’t place too much emphasis on the Protection of Personal Information Act

With the Protection of Personal Information Act signed and likely to be implemented to some degree sometime this year, it is fashionable to focus on POPI when thinking about data protection and privacy. While POPI is a very important Act, a complete data protection review has to take into account much more. I prepared a diagram to give you a quick overview of what you should be considering when you assess your compliance readiness.

2014-01-14 Privacy is more than just POPI

POPI compliance and your plan to fail

Unfortunately many companies may have left their preparation too late, especially the larger companies, and have not yet established a complete set of practices and processes to ensure their compliance with POPI’s many requirements. Although companies will likely have a year before many of POPI’s compliance requirements go into effect, a year is simply not enough time to prepare adequately. Compliance isn’t just a matter of writing a privacy policy and publishing that. In order to comply with POPI, organisations have to ensure that all their underlying processes are aligned with POPI’s requirements. In this sense a privacy policy is really more of a description of a series of data protection practices which have been implemented throughout the organisation. If there is a disconnect between your organisation’s practices and processes and what the privacy policy describes, the consents you are hoping to obtain through the privacy policy will amount to little more than lip service to the legislative framework it serves.

Nokia Lumia launch-9 railing

The Protection of Personal Information Act has been in the pipeline for so long I keep expecting someone to develop a drinking game around “POPI” mentions in conferences (every time a speaker says “POPI”, everyone takes a drink). The Bill was passed by Parliament and the President has signed it into law as the Protection of Personal Information Act (No. 4 of 2013). The next step is POPI’s commencement date in a government gazette and the final countdown to its implementation and a compliance deadline. A copy of the Act is at the bottom of this post for your reading pleasure.

Unfortunately many companies may have left their preparation too late, especially the larger companies, and have not yet established a complete set of practices and processes to ensure their compliance with POPI’s many requirements. Although companies will likely have a year before many of POPI’s compliance requirements go into effect, a year is simply not enough time to prepare adequately. Compliance isn’t just a matter of writing a privacy policy and publishing that. In order to comply with POPI, organisations have to ensure that all their underlying processes are aligned with POPI’s requirements. In this sense a privacy policy is really more of a description of a series of data protection practices which have been implemented throughout the organisation. If there is a disconnect between your organisation’s practices and processes and what the privacy policy describes, the consents you are hoping to obtain through the privacy policy will amount to little more than lip service to the legislative framework it serves.

Something else to bear in mind is that a data gold rush before POPI comes into effect may amount to a waste of time, money and effort. Some of my colleagues have advised their clients that POPI will not have retrospective effect so anything done before POPI goes into effect will not be affected by POPI’s more stringent restrictions. They are likely correct about POPI not having retrospective application but POPI’s compliance requirements will almost certainly not be waived just because you collected personal information before POPI’s implementation date. If, for example, you don’t obtain adequate consent for your intended personal information uses before POPI is implemented, I doubt very much that this will be excused once POPI goes into effect and you could find your shiny data treasure trove is tainted, must be discarded and you will have to start again and do the work you should be doing now (if you haven’t done it already).

The bottom line, so to speak, is that if you haven’t prepared for POPI you may not have much time left. As the saying goes, your failure to plan for POPI is, effectively, your planned failure to comply.

That said, here are a couple next steps in your road to compliance:

  1. Review your processes which touch on personal information collection and processing. The best data protection policies are useless if your underlying processes are not going to comply with POPI’s requirements. Your marketing teams, in particular, need to understand how POPI affects them and must assess their databases, marketing initiatives and other personal information-related activities. Don’t forget to include internal data processing in your review. You will have to apply similar principles to the personal information you process internally so your human resources people need to be involved too.
  2. Align your marketing initiatives with your organisation’s compliance requirements and your underlying processes. Marketing campaigns rely on personal information and they have to be supported by the day to day data processing workflows and, in turn, support essential policy frameworks. Don’t just leave this up to your marketing teams, you need people who understand POPI’s impact and can mediate between Marketing/Communications and Legal/Compliance imperatives.
  3. Take into account industry regulatory frameworks like the WASPA Code of Conduct. It is now backed by a law and could have a fundamental impact on any mobile initiatives you are running. Failure to comply with WASPA’s Code and its Advertising Rules can behead a mobile campaign that relies on mobile short codes, for example.
  4. Develop and implement clear and practical privacy or data protection policy frameworks. These policy frameworks must be supported by the practical realities of how your teams handle personal information every day. A policy framework in a process vacuum is pretty ineffective and a pretty short road to reputational harm and regulatory attention.

Preparing for POPI is not a quick and easy process and I’m not saying this because this is one of my focus areas, the more you delve into the law the more you realise what a mammoth undertaking it is. Call me if you could use some help. Alternatively, read the Direct Marketing Legalities Survival Guide I published earlier this week. I explain many of the compliance requirements in POPI and other legislation like the Electronic Communications and Transactions Act and Consumer Protection Act as well as WASPA and ISPA Hall of Shame considerations.

That’s my data you’re fondling

CO 1069-164-26

TechCentral published an article by Richard Mullins, titled “Data, the hidden treasure in publishing” which raises a number of important issues. The premise of the article and the challenge facing publishers is nicely summarised in these two paragraphs in the article:

Their biggest hope of making money lies in unlocking the value of the reams of data they collect about their audience. This data is the most valuable commodity they are sitting on, yet it can be as hard to access as veins of gold buried deep below the surface of the earth. Over the years, publishers have built their online operations in a fragmented and ad hoc manner, adding in new technologies, tools and channels as they have needed to.

and

Yet the opportunity for publishers to package all their information and resell it to digital marketers is one they cannot afford to ignore any longer. It is the greatest value they have to sell their advertisers and they need to start thinking of how they are going to deliver the value and monetise the gold they are sitting on.

Mullins talks about this data as if publishers have acquired it and are free to do as they wish, if only they develop the infrastructure to exploit it more effectively. He highlights a need we’re seeing in various industries – the need to make better use of data stored in silos in the organisation to market the organisation’s products and services more effectively. At first glance this makes a lot of sense but this approach to the data begins to smell a little funky when you take a few steps back and consider whose data we’re talking about here.

Choice

The Protection of Personal Information Bill’s 5th working draft recognises 3 principles as the basis for the legislation:

  • section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy;
  • the right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information;
  • the State must respect, protect, promote and fulfil the rights in the Bill of Rights;

The Bill goes on to record a number of rights “data subjects” (defined as the “person to whom personal information relates”) enjoy. These rights are designed to give data subjects more meaningful control over their personal information (privacy under Protection of Personal Information Bill is not about secrecy, its about informational self-determination). Included in the Bill are provisions which deal specifically with direct marketing as a use of this personal information. “Unlocking the value of the reams of data” the publishers have collected is a euphemism for marketing using that personal information or even selling that data. Both activities will be regulated in Protection of Personal Information Bill and direct marketing is already regulated, in varying degrees, by a combination of the Consumer Protection Act, the Electronic Communications and Transactions Act and industry codes of conduct.

The trend reflected by these industry codes of conduct and Protection of Personal Information Bill is towards a requirement that marketers obtain specific and informed consent from consumers before processing that data (the definition of “processing” isn’t settled in Protection of Personal Information Bill but the current options cover virtually any use of the data from collection to aggregation to making more direct uses of it). The sort of consent contemplated by Protection of Personal Information Bill is fairly specific. At the very least a customer must have given informed consent in the context of a sale of a product or service to receive marketing information pertaining to the marketer’s “own similar products or services”. There are also restrictions on how marketers can source the personal information they wish to collect. Generally speaking they should obtain the personal information directly from the data subject.

While publishers may see the personal information they possess as a goldmine to be exploited, most (if not all) that personal information pertains to consumers whose consent the publisher may well require before it can do any of that exploiting. There are a number of ways to secure that consent, both before and after the personal information is collected, and the appropriate methods will very much depend on the publishers’ specific circumstances.

Data portability

Leaving aside consent requirements, a related issue which will likely come to the forefront of the debate is data ownership and data portability. The one area where we will see this issue arise is, interestingly enough, in online banking. I spoke to Christo Davel from 22seven about a week and a half ago (you can read our report titled “Your 22seven risks and where banks draw the line” for more about 22seven and related issues) and he raised data portability as a key issue going forward. 22seven collates information about its users’ transactions, potentially from a variety of banks, in order to conduct the analyses it conducts and render its services. The banks objecting to their customers using 22seven seemed to ignore the fact that the transactional information under their care belongs to their customers. If their customers want to disclose their data to 22seven or other providers then the banks should make reasonable efforts to alert customers to the risks, limit access insofar as is required to reasonably protect their infrastructure and otherwise permit customers to take their data out. This is one area where Google has innovated with the Data Liberation initiative.

the Data Liberation Front

Data portability could create some fairly interesting situations for providers. One relates to competition between similar providers and how users wanting to move their data from one provider to another could affect ordinary competition. If users are given the ability to export their lists of contacts, connections, preferences and so on and import those data into a competing provider’s platform, what would the constraints be on providers as between each other. At what point would a provider be competing unlawfully?

Humanise the data

Returning to Mullins’ point about publishers and their untapped and data silos, publishers shouldn’t lose sight of whose data they are mining and the consents they may well require before passing it around their various operating divisions and partners.

That said, better use of that data can be in consumers’ interests too (if the appropriate consents are obtained). Google has been arguing for years that knowing more about potential customers gives marketers the ability to present them with more relevant advertising. Facebook customises ads on the fly as you update your status and connect to people and Pages. As Mullins put it –

The publisher can help an advertiser to remarket to and re-target that customer who has, for example searched for LCD TVs online, read reviews and clicked on an ad; and is clearly in the market for a new television.

The middle ground is respecting consumers’ rights and working within the parameters established by the law and prevailing legal frameworks with a view to presenting customers with marketing material they want.