Personal Data Protection Law: Implications for companies and individuals
published : 20 Aug 2019 at 15:59
What constitutes a data breach? What are the challenges and focus areas? How do data protection frameworks figure? And how should we shape a DLP (data leakage prevention) program?
A data breach is an incident that involves sensitive, protected, or confidential information being copied, transmitted, viewed, stolen or used by an unauthorised individual. That exposed information may include credit card numbers, personal health information, customer data, company trade secrets or matters of national security.
Challenges and focus areas
Why is protecting data so difficult? For one thing, we have seen an explosive growth in data. Data is doubling in size every two years. By 2020, the volume is expected to reach 44 zettabytes (trillion gigabytes). Meanwhile, data continues to proliferate as the average organisation shares documents with 826 external domains or organisations.
Business and technology innovation add another layer of complication. Innovations are creating additional cyber risk for organisations. Many organisations have started moving mission-critical applications to the cloud. The average company uses 738 cloud services and by 2020, the world will have five billion Internet of Things (IoT) devices. Some 6,488 new security vulnerabilities were added to the National Vulnerability Database (NVD) in 2015 alone. But cyber risk standards, laws, and regulations can’t keep up with business and technological change and evolving adversaries.
As of June 2018, 9,727,967,988 records had been lost since 2013. In June 2019, the figure was 14,717618,286. Only 4% of those records were encrypted (source: breachlevelindex.com). Then there is a consistent failure to implement security fundamentals. Many companies lack the standard data protection capabilities (i.e. malware protection, data lifecycle management). A year later. 99.9% of exploited vulnerabilities were compromised.
An introduction to DLP (data leakage protection)
Data leakage is the movement of an information asset from an intended state to an unintended, inappropriate or unauthorised state, representing a risk or potentially negative impact to the organisation.
Data can be structured and unstructured types. Structured data is hierarchical, relational and network oriented. They include XML files, relational information i.e. databases, files with detailed attributes, and transactional information. Unstructured data includes emails, blueprints, audio, video and images.
Data may be personal or corporate. Personal data is things like your name and address, date of birth, national identification number, credit card numbers, financial and medical information. Corporate data can be corporate strategy, legal aspects, intellectual property, financial, sales, and marketing information.
Data is vulnerable to two sources of threats: insiders and outsiders. Insiders range disgruntled employees, contractors, outsourcers, business partners/vendors, and fraudsters. Outsiders range spies and industry espionage, cyber terrorists, scammers (e.g. phishers), social engineers, and script kiddies.
So data leakage can come in many forms, compromise various types of personal or corporate information, and be targeted by internal and external groups.
How can a data leak occur to your organisation? Sensitive data can be lost or compromised either intentionally or unintentionally, whether users act in a malicious or careless manner.
Typically data has states: in use, in motion, and at rest.
With data in use, the case may concern disgruntled or terminated employees copying files containing personal or confidential information to portable devices. Or it may involve users printing sensitive data to equipment in common areas accessed by others.
Data in motion can concern users sending sensitive data to personal webmail accounts in order to work at home. Or personal and confidential information shared with third parties for valid business purposes using insecure transmission protocols. Sometimes malicious insiders transmit personal and confidential information to outside organisations’ networks.
Data at risk cases arise where business users innocently place personal information in insecure storage locations where access is not by the appropriate personal. Or database administrators may store backup copies of sensitive data in unapproved locations.
Data protection frameworks
The first thing to realise with data protection frameworks is that data-centric protection must occur throughout the data lifecycle. Siloed data protection capabilities and technologies have proven to be ineffective. Each technology/capability plays a critical role in solving the data protection “puzzle” throughout the data lifecycle.
Sensitive data is collected by an organisation as part of its day-to-day operations via point of sale devices, application forms, data from credit bureaus etc.
Collected data is stored across multiple solutions such as databases, backup locations, third party storage, etc, for further use by applications and users.
Data usage and sharing is involved when data is transmitted from storage solutions for processing on internal and external servers, applications, end-user devices and other devices within or outside the networks.
Data is retained or destroyed by the organisation per regulatory, internal compliance or business requirements, using electronic or physical media for retention.
Shaping up a DLP program
Shaping up your DLP program depends on your needs and priorities and the maturity of your data protection program.
Start with a data discovery exercise to understand where structured and structured sensitive data exists and use it to propose recommendations on how to protect and manage identified sensitive data.
Then hammer out a data protection assessment and strategy. Conduct a data protection assessment to understand key risks the organisation is facing, pinpoint capability maturity and spot any gaps that exist. Develop a data protection strategy and roadmap to define the components and capabilities needed to build a data protection program.
The next step is a data exfiltration risk assessment. Conduct a risk assessment to identify areas that are most at risk of data being exfiltrated. Remediation activities required to strengthen those areas will become apparent.
The next step is data protection technology and capability implementation. Here we would assist with implementation and deployment of data protection technology solutions and capabilities, providing full technology implementation support.
Data protection foundation development follows where we develop supporting capabilities such as governance, operating models, key risk indicators, key performance indicators etc, to enhance the data protection program.
Our managed services provide service level agreement (SLA) functions for data leakage prevention tools, including event analysis, system maintenance, reporting and operational tasks.
DLP programs – common challenges and risks
Organisations continue to face a number of common challenges and risks when trying to protect their vast quantities of sensitive data.
The most important thing about rolling out a program is monitoring. If you just put the system in place and pray that it will detect some breach, that’s not okay. The system will generate a lot of information and you need to stay on top of it. If there is any breach, find out about it and report it. Six months later do a thorough review to see whether we need to fine tune the rules that we set in the system.
Bottom line: the evolution of data is driving organisations to re-evaluate and refocus their information management practices to better mature and integrate DLP within core business processes.
Author: Ms. Parichart Jiravachara, Partner, Risk Advisory, Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.
Series Editor: Christopher F. Bruton, Executive Director, Dataconsult Ltd, email@example.com. Dataconsult’s Thailand Regional Forum provides seminars and extensive documentation to update business on future trends in Thailand and in the Mekong Region.