The role of governments and regulation
In response to escalating costs associated with personal data theft and the identity theft that follows, governments and industries around the world have passed regulations to compel companies to take their security programs seriously. While meaning well in their intentions, new regulations have led to a disjointed patchwork of requirements global organizations must comply with, which can be counterproductive. However, regulations will need to balance the equation between the costs of cybercrime and the benefits to attackers if they hope to stem the tide of cyber-attacks and the growing impact cybercrime is having on the global economy.
Industry regulation
Historically, information protection regulations were created on a per-industry basis. For example, in 2004, the world's largest credit card companies' council, known as the Payment Card Industry (PCI) Council, released the first Payment Card Industry Data Security Standard (PCI-DSS). This guidance was applicable to anyone who sought to store, process, or transmit payment card data and set certain requirements based on the number of transactions a company was involved in during a given year. In 1996, the United States passed the Health Insurance Portability and Accountability Act (HIPAA), which included privacy regulations for health-related data.
Industry regulations are often prescriptive and specific when defining what types of information should be protected and how. For example, PCI-DSS has 6 control objectives that organize 12 specific requirements for anyone storing, processing, or transmitting credit card information. Because the scope of data to be protected is so narrow, giving specific guidance to companies is feasible.
As time has passed, additional industry-specific regulations have given way to broader data privacy regulations passed by governments who were interested in curbing the economic effect of identity theft. Additionally, many of the regulations are designed to establish the rights of people to exert control over data used to identify them and define the responsibilities of the organizations that collect their data.
The growing need for data privacy regulation
The invention of computers and digital storage changed the nature of data collection and control over information. The digital age has made copying data and sharing it with others easier than ever before. As technology changed and outsourcing specific functions became more prevalent, individuals lost control over who had access to information that could cause them harm. There were a few rules related to how data could be handled and who it could be shared with. Furthermore, there was little transparency when a person provided their information about how it would be used and who it would be used by. Over the years, countless data breaches caused harm to individuals. In many cases, the organization that was breached had information belonging to individuals who had never provided their information directly. In response, governments began to pass regulations designed to establish data subject rights and severe penalties for those who violate them. The European Union's General Data Privacy Regulation (GDPR) has been the most impactful and well-known data privacy regulation.
GDPR
In 2016, the European Union sought to broaden regulations related to personal data and passed GDPR, which went into effect in 2018.
GDPR is made up of 11 chapters and 99 articles. It covers a wide variety of topics and seeks to establish data privacy as a basic right for European citizens and to give control to data subjects over how their data is used and processed. The 99 articles and 11 chapters of GDPR are detailed on the following website: https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en.
Originally, much of the conversation about GDPR was about the harsh penalties that are laid out in the legislation. Companies can be fined up to 4% of their global revenue for violations of GDPR. However, the supervisory authorities have been mostly collaborative with companies who are trying to comply and protect data subjects' personal data and associated rights. Willful negligence or a failure to exercise due care with personal data can be punished severely.
Parts of GDPR are groundbreaking and have forced companies to adopt new best practices. For example, GDPR sets limits on how long data can be retained and forces companies to map how personal data flows throughout their organizations. Both are best practices for all types of sensitive data, but prior to GDPR, few companies understood their data well enough to comply with these provisions.
Unlike PCI-DSS, GDPR must cover a broad spectrum of companies and data types, so the requirements are far less specific. Also, the regulation was written to establish rights and responsibilities, so as technology changes, the methods of protecting information can change without amending the legislation.
Example Case: British Airways
British Airways suffered a data breach in 2018 that affected 400,000 customers. The Information Commissioner's Office (ICO) is the GDPR supervisory authority in Great Britain and therefore is assigned to British Airways. After the breach was made known, the ICO investigated the factors that led up to the breach of sensitive information. The ICO determined British Airways had security weaknesses in systems processing personal information that they knew about and failed to address. In addition, the ICO determined that more people were affected than necessary based on British Airways' failure to discover and remediate the issue in a timely manner. After the investigation, the ICO said, "Their [British Airways'] failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That's why we have issued BA with a £20m fine – our biggest to date." (Page, 2020)
The source of the breach was a known vulnerability in a third-party piece of JavaScript known as Modernizr, which British Airways used as part of its payment processing site. A hacking group was able to exploit the vulnerability to redirect personal and payment information to a website they owned, which caused criminals to gain access to crucial customer information. In many cases, companies claim they are the victim of an advanced attack when a breach occurs, but that was clearly not the case in this instance. According to a Wired article, "The vulnerability in Modernizr is a well-known one, and BA had not updated it since 2012 – long after problems were known to exist." (Stokel-Walker, 2019). Even after the breach, the ICO found British Airways had failed to take adequate steps to secure their website.
The fine was significant because it was determined that British Airways was not only a victim of a cyber-attack, but they also failed to exercise due care to protect customer information, and as a result, consumers were harmed. This was the exact situation GDPR was developed to address. The legislation provides a method for supervisory authorities to compel companies to take the protection of PII seriously.
While the fine was record-breaking, it was reduced after an appeal by British Airways citing the COVID-19 pandemic and the damage it caused to their business. The original recommended fine was £183 million. Part of the reason for the reduction between the proposed amount and the settlement amount was in recognition of the improvements that British Airways made to prevent similar events from happening in the future.
For many years, organizations have ignored security best practices and put individuals' information at risk. Because of the pace of cyber-attacks, the brand damage is often short lived, and the cost of securing information could outweigh the benefits. The implementation and enforcement of GDPR has ensured securing personal information belonging to consumers is good business and not securing information appropriately carries severe consequences.
While GDPR is the best-known privacy regulation, there are several others around the world with similar goals that are also enforced. One of the challenges for multinational enterprises is keeping up with all the global regulations they are subject to and the changes to each.
Next, we will look at a law older than GDPR that is being updated to place a greater emphasis on individual rights to data.
Act on the Protection of Personal Information (APPI)
The next consequential legislation, Japan's Act on the Protection of Personal Information (APPI), predates GDPR. However, since the passage of GDPR, APPI has been updated to establish the rights of data subjects and the responsibilities of companies to protect personal information.
Japan's APPI predates GDPR and was originally passed on May 30, 2003. It has been amended several times, but the most recent amendment, passed in 2020, comes into effect in April 2022. The International Association of Privacy Professionals (IAPP) often writes about changes to international privacy regulations. You can find an article on the recent changes to APPI at the following link: https://iapp.org/news/a/japan-enacts-the-act-on-the-protection-of-personal-information/.
There is commonality between the objectives of APPI and the objectives of GDPR, but the rules are different. As a result, companies operating in Europe and Japan must build their security programs to meet the requirements of both jurisdictions.
California Consumer Privacy Act (CCPA)
It is difficult to operate globally and comply with different regulations between countries and regions. However, in the United States, the situation is much worse. In the absence of national data privacy regulations, many states have begun passing their own patchwork regulations. The most comprehensive and well-known is the California Consumer Privacy Act (CCPA), but there are separate pieces of legislation across many states that further complicate compliance efforts. CCPA was largely based on GDPR. However, it has fewer articles and has expanded the definition of personal information to include information that can be used in machine learning datasets. There is a good summary of CCPA provided by Thomson Reuters Westlaw at the following link: https://govt.westlaw.com/calregs/Browse/Home/California/CaliforniaCodeofRegulations?guid=IEB210D8CA2114665A08AF8443F0245AD&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default).
When studying regulations around the world, some common themes emerge:
- Data subjects own the data that identifies them. People who store, process, or transmit it are granted the license to do so only through consent and they do not own the information.
- Companies who collect information cannot sell or share that information without the consent of the data subjects.
- Data subjects should know exactly how data about them is being used.
There are many companies, such as advertising companies that curate lists and social media companies that trade free services for information about individuals that they can profit from, that are under direct attack through this type of legislation.
There are several other privacy regulations passed by individual countries, such as PIPEDA in Canada and Australia's Privacy Act. Most new regulations deal with personal information and many of the objectives are similar. However, the responsibilities a company has under each law can be contradictory. Multinational enterprises struggle with a regulatory tapestry that grows in complexity with each passing year.
There is no doubt that identity theft is a major problem globally. However, the patchwork of regulations around the world makes it difficult for short-staffed security teams to comply with the regulations. Furthermore, security begins where compliance ends, and if security teams are spending all their time on compliance initiatives, there is little time remaining for those teams to focus on their primary mission.
While data privacy regulations are growing in popularity, data sovereignty regulations also exist. The primary difference between data privacy and data sovereignty is that data privacy is designed to control who can access information, whereas data sovereignty primarily regulates international data transfers.
Data sovereignty regulations
Many regulations are designed to control the flow of data between countries. In most cases, data can be transferred under certain circumstances. The stated purpose is to ensure private data is not transferred to countries where the government can infringe upon privacy rights. Countries such as China and the United States, where the government has the power to compel companies to share information about individuals without their consent, are often primary targets of data sovereignty rules. There are differing opinions about the right to privacy among countries around the world. As a result, many countries seek to limit the flow of information across borders. However, these regulations often create complexity in the modern world. Information does not respect terrestrial borders, and cloud services are designed to optimize performance, not to operate in specific jurisdictions. As a result, the unintended consequence is to make it more difficult for companies headquartered in countries with restrictive data sovereignty rules to be competitive globally. Few new regulations include data sovereignty elements, but many restrictive data sovereignty rules still exist.
Another area where governments have regulated business affairs that relates to information security is the idea of workers' councils. Workers' councils are designed to represent the interest of employees and balance power between labor and companies. While these councils serve many functions, among them is reviewing a company's plans for employee monitoring and electronic surveillance.
Workers' councils
In several countries, such as Germany, Switzerland, and the Netherlands, workers are granted rights and representation that allow them input into how employees are monitored in the workplace. These workers' councils often hold significant power and must be consulted before a company can implement security controls that monitor employee communications and behavior. The rules and objectives differ between jurisdictions, but the councils are in place to prevent employers from using electronic surveillance in an oppressive manner.
However, to protect information and comply with relevant regulations, organizations must implement forms of electronic monitoring. As a result, these conversations become an important element of a security program. The types of issues raised by workers' councils are often related to whether the systems can monitor worker productivity, invade their privacy with respect to personal communications, or present the opportunity for human bias to influence the security program. Security professionals operating in these areas must listen to the workers' councils and become skilled in explaining what the intention of their controls is and how they will protect workers' rights throughout implementation and operation of their controls.
These types of regulations allow governments to exert influence on how data is collected, stored, processed, or transmitted. They have been implemented to correct an imbalance or to compel organizations to secure information properly. Simply complying with regulations does not constitute an effective security program. Compliance regulations set rules for what an organization can and cannot do. Security is the art and science of protecting people, information, and systems.