Tag Archives: european court of justice

How Safe Is Your Data?

Overview

Your data might not be as safe as you think it is — and it could cost you dearly.

Part of the threat comes, unwittingly, from your employees — and, possibly, even yourself. A significant proportion of cyber breaches (as many as 30%)­ are caused by “negligence or mistakes,” caused by individuals failing to act responsibly or follow procedure.

Two decades after the launch of the web, digital has become so ingrained in our lives that it’s easy to assume you know the best security practices to keep you and your organization safe from a data breach. But as technology continues to drive changes in the way we live and work and as the Internet of Things becomes more omnipresent, the digital risks we all face are only going to increase as more and more devices share data around the world.

Read on for some simple steps you can take to help keep your data more secure.

In-Depth

A growing threat, but an inadequate response

The number and potential severity of cyber breaches is increasing. A recent PwC survey found that nearly 90% of large organizations suffered a cyber security breach in 2015, up from 81% in 2014; the average cost of these breaches more than doubled year-on-year. With more connected devices than ever before — and the total expected to reach 50 billion by 2020 — there are more potential targets for attackers, as well as more potential for accidental breaches.

What’s more, as of late 2015, companies are, for the first time, listing their information assets as nearly as valuable as their physical assets, according to the2015 Ponemon Global Cyber Impact Report survey, sponsored by Aon.

So how do you keep your organization’s data — and that of your clients and customers — safe?

According to Aon cyber insurance expert Stephanie Snyder Tomlinson, it’s not just a matter of investing in better technology and more robust systems.

“A lot of companies find that the weakest link is their employees,” Snyder Tomlinson says. “You need to train employees to make sure that if they get a phishing email, they’re not going to click on the link; that they don’t have a Post-it note right next to their monitor with all of their passwords on it. It’s the human error factor that companies really need to take a good hard look at.”

From intern to CEO: Simple steps everyone can take

It’s easy for individuals to become complacent about data security, says Brad Bryant, Aon’s global chief privacy officer. But with cyber threats increasing, it’s more important than ever to be aware of the seemingly innocent individual actions that can potentially lead to serious cost and reputational consequences for your organization.

According to Bryant, there are four key things everyone can do to help protect themselves and their organizations from the rising cyber threat:

  • Be alert to impersonators— Hackers are becoming increasingly sophisticated at tricking people into giving away sensitive information, from phishing to social engineering fraud. You need to be more vigilant than ever when transmitting information. Are you certain they are who they say they are?
  • Don’t overshare— If you give out details about your personal life, hackers may be able to use the data to build a profile to access your or your company’s information. From birthdays to addresses, small details build up.
  • Safely dispose of personal information— A surprising amount of information can be retained by devices even after wiping hard drives or performing factory resets. To be certain your information is destroyed, you may need to seek expert advice or device-specific instructions.
  • Encrypt your data— Keeping your software up-to-date and password protecting your devices may not be enough to stop hackers should those devices fall into the wrong hands. The more security the better, and, with the growing threat, encryption should be regarded as essential.

Key approaches for organizations to better protect data

To protect your and your customers’ and clients’ information, investing in better cyber security is only one element. But data breaches don’t just happen through hacks, or even employee errors. At least 35% of cyber breaches happen because of system or business process failures, so it’s vital to get the basics right.

Prevention is key, says Tom Fitzgerald, CEO of Aon Risk Solutions’ U.S. retail operations. There are four key strategies he recommends all organizations should pursue to limit the risk and make sure they’re getting the basics right:

  • Build awareness— Educate employees on what social engineering fraud is, especially in your financial department. Remind employees to be careful about what they post on social media and to be discreet at all times with respect to business-related information.
  • Be cautious— Always verify the authenticity of requests for changes in money-related instructions and double-check with the client or customer. Do not click on random hyperlinks without confirming their origin or destination.
  • Be organized— Develop a list of pre-approved vendors, and ensure employees are aware. Review and customize crime insurance. When it comes to coverage or denial, the devil is in the details.
  • Develop a system— Institute a password procedure to verify the authenticity of any wire transfer requests and always verify the validity of an incoming email/phone call from a purported senior officer. Consider sending sample phishing emails to employees to test their awareness and measure improvements over time.

Much of this advice is not new — but the scale of the threat is increasing, making following it more important than ever.

“Social engineering fraud is one of the greatest security threats companies can encounter today,” Fitzgerald warns. “This is when hackers trick an employee into breaking an organization’s normal digital and physical security procedures to access money or sensitive information. It can take many forms, from phishing for passwords with deceptive emails or websites to impersonating an IT engineer, to baiting with a USB drive.”

How governments are driving data protection

The potential consequences of inadequate data security are becoming more serious as courts and regulators are focusing on this issue globally.

The EU is considering a data protection directive to replace previous regulations implemented in 1995. The expected result will be a measure that focuses on protection of customer data. Similarly, an October 2015 ruling by the European Court of Justice highlighted the transfer of customer data between the E.U. and the U.S.

“Regardless of where a company is located, the provision of services to E.U. customers and the collection or mere receipt of personal data from European citizens may potentially subject companies to E.U. jurisdiction,” Bryant warns. “Failure to comply could present unprecedented risk for companies, including fines of up to 4% of a company’s total global income.”

It’s not just changing E.U. rules that could affect your business. Internet jurisdictions and organizational operations are increasingly becoming cross-border. This global patchwork of internet rules and regulations is why only 24% of cyber and enterprise risk professionals are fully aware of the possible consequences of a data breach or security exploit in countries outside their home base of operations.

Why getting the basics right is critical

As the Internet of Things continues to grow, the number and range of potential targets for cyber attack is only going to increase. While eliminating all cyber risk may be impossible, getting the basics right is becoming more important than ever.

“Given the large scope and impact of the various changes in data protection law, coupled with the drastic increase in fines, becoming educated on how to protect our data is more business-critical now than ever before,” Bryant says.

Talking Points

“The average cost per user of a data breach is now $240… The costs are costly, but the current model of privacy will not make sense going forward.… The Snowden revelations advanced hope that there would be this really excited response that would get government to impose really strict regulations. There was some posturing made, and it seemed like we were heading in that direction, but I don’t think we are going there.” – Lawrence Lessig, Roy L. Furman Professor of Law, Harvard Law School

“A step change in sanctions will make privacy a board-level issue. Some businesses will need to start taking these issues a lot more seriously.” – Tanguy Van Overstraeten, Linklaters

“The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information.” – Andrus Ansip, Vice President for the E.U. Digital Single Market

Further Reading

How Safe Is Your Data — Really?

The number and the potential severity of cyber breaches is increasing. A recent PwC survey found that nearly 90% of large organizations suffered a cyber security breach in 2015, up from 81% in 2014. And the average cost of these breaches more than doubled year-on-year. With more connected devices than ever before—and a total expected to reach 50 billion by 2020 —there are more potential targets for attackers, and there is more potential for accidental breaches.

What’s more, as of late 2015, companies are, for the first time, listing their information assets as nearly as valuable as their physical assets, according to the 2015 Ponemon Global Cyber Impact Report survey, sponsored by Aon.

So, how do you keep your organization’s data—and that of your clients and customers—safe?

It’s not just a matter of investing in better technology and more robust systems, according to Aon cyber insurance expert Stephanie Snyder Tomlinson, who says, “A lot of companies find that the weakest link is their employees. You need to train employees to make sure that if they get a phishing email, they’re not going to click on the link; that they don’t have a Post-It note right next to their monitor with all of their passwords on it. It’s the human error factor that companies really need to take a good hard look at.”

From intern to CEO: Simple steps everyone can take

It’s easy for individuals to become complacent about data security, says Aon’s global chief privacy officer, Brad Bryant. But, with cyber threats increasing, it’s more important than ever to be aware of seemingly innocent individual actions that can potentially lead to serious cost and reputational consequences for your organization.

According to Bryant, there are four key things that everyone can do to help protect themselves and their organizations from the rising cyber threat:

  • Be alert to impersonators. Hackers are becoming increasingly sophisticated at tricking people into giving away sensitive information, from phishing to social engineering fraud. You need to be more vigilant than ever when transmitting information. Are you certain they are who they say they are?
  • Don’t overshare. If you give out details about your personal life, hackers may be able to use them to build a profile to access your or your company’s information. From birthdays to addresses, small details build up.
  • Safely dispose of personal information. A surprising amount of information can be retained by devices, even after wiping hard drives or performing factory resets. To be certain that your information is destroyed, you may need to seek expert advice or device-specific instructions.
  • Encrypt your data. Keeping your software up to date and password-protecting your devices may not be enough to stop hackers, should your devices fall into the wrong hands. The more security, the better, and, with the growing threat, encryption should be regarded as essential.

Key approaches for organizations to better protect data

To protect your, your customers’ and your and clients’ information, investing in better cyber security is one element. But data breaches don’t just happen through hacks, or even employee errors. At least 35% of cyber breaches happen because of system or business process failures, so it’s vital to get the basics right.

Prevention is key, says Tom Fitzgerald, CEO of Aon Risk Solutions’ U.S. retail operations. There are four key strategies he recommends all organizations pursue to limit the risk and make sure they’re getting the basics right:

  • Build awareness. Educate employees on what social engineering fraud is, especially those in your financial department. Remind employees to be careful about what they post on social media and to be discreet at all times with respect to business-related information.
  • Be cautious. Always verify the authenticity of requests for changes in money-related instructions, and double-check with the client or customer. Do not click on random hyperlinks without confirming their origin and destination.
  • Be organized. Develop a list of pre-approved vendors and ensure employees are aware. Review and customize crime insurance—when it comes to coverage or denial, the devil is in the details.
  • Develop a system. Institute a password procedure to verify the authenticity of any wire transfer requests, and always verify the validity of an incoming email or phone call from a purported senior officer. Consider sending sample phishing emails to employees to test their awareness and measure improvements over time.

Much of this advice is not new, but the scale of the threat is increasing, making following this advice more important than ever. Fitzgerald warns, “Social engineering fraud is one of the greatest security threats companies can encounter today. … This is when hackers trick an employee into breaking an organization’s normal digital and physical security procedures to access money or sensitive information. It can take many forms, from phishing for passwords with deceptive emails or websites, to impersonating an IT engineer, to baiting with a USB drive.”

How governments are driving data protection

The potential consequences of inadequate data security are becoming more serious, and courts and regulators are focusing on this issue globally.

The European Union is considering a Data Protection Directive to replace previous regulations implemented in 1995. The expected result will be a measure that focuses on the protection of customers data. Similarly, an October 2015 ruling by the European Court of Justice highlighted the transfer of customer data between the E.U. and U.S.

Bryant warns: “Regardless of where a company is located, the provision of services to E.U. customers and the collection or mere receipt of personal data from European citizens may potentially subject companies to E.U. jurisdiction. … Failure to comply could present unprecedented risk for companies, including fines of up to 4% of a company’s total global income.”

Changing E.U. rules aren’t the only thing that could affect your business. Internet jurisdictions and organizational operations are increasingly becoming cross-border. This global patchwork of Internet rules and regulations is why only 24% of cyber and enterprise risk professionals are fully aware of the possible consequences of a data breach or security exploit in countries outside their home base of operations.

Why getting the basics right is critical

As the Internet of Things continues to grow, the number and range of potential targets for cyber attack is only going to increase. While eliminating all cyber risk may be impossible, getting the basics right is becoming more important than ever.

Bryant says, “Given the large scope and impact of the various changes in data protection law—coupled with the drastic increase in fines—becoming educated on how to protect our data is more business-critical now than ever before.”

Do You Have a Right to Be Forgotten?

Earlier this year, the European Court of Justice ruled that Google is a “data controller” under the 19-year-old European data protection law, which gives individuals rights over data about them that others control. This ruling could effectively limit certain information on the Internet in Europe, and also which information would be allowed in the U.S.

For example, in Spain, nearly 100 citizens would like to have information about themselves deleted from the Web. Some are embarrassed about misdemeanor arrests years ago when they were in college. Others have been victims of identity thieves or violent crimes and, understandably, don’t want their home addresses to be easily determined.

The issue comes up because the official Spanish government gazette, published for 350 years every weekday, contains data required to be published publicly about bankruptcy, crime and other potentially sensitive subjects. It has been difficult to access this publication in years past and was typically unread, gathering dust at a library. But two years ago the government gazette information went online, making old and potentially embarrassing data easy to find. The Spanish government has ordered Google to stop indexing information concerning the 100 citizens who filed complaints with the Spanish Data Protection Agency. These cases are now in Spanish courts.

American law is based on the concepts of free speech, the public’s right to know and unfettered debate. U.S. courts have determined that the right to publish true statements by one about the past of another person outweighs the other person’s right to privacy. In Europe, there is no general right to say anything about anyone, even when the statement in question is true.

International law experts have declared that the American and European cultures are headed in different directions as to legal notions of privacy.

Europeans seek to balance freedom of speech and the public’s right to know against the personal rights of privacy of others. The European perspective has been shaped by the experience of individuals as victims in data collection and use by dictators like Franco, Mussolini and Hitler, and by Soviet authorities.

In Germany, two persons who murdered someone 20 years ago have recently sued to suppress their identity as criminals on the basis of their own rights of privacy and their so-called “rights to be forgotten” after their criminal sentences have been served.

Google has faced suits in Germany, Switzerland and the Czech Republic over its “Street View” feature, collecting photographs of streets and private homes and businesses. In Germany, citizens are allowed an option to not have their home or business photographed, and more than one quarter million have chosen this option. By contrast, this issue has resulted in little debate in the U.S. where persons may take pictures of anything in plain sight from a public street.

European Union surveys have found that three in four persons worry about how Internet companies use their information and want the right to delete personal data at any time. Ninety percent believe the European Union should formalize in law the “right to be forgotten.” These individuals want to retain some limited rights to their own data, even if it is in cyberspace – they want, in effect, a right to withdraw from others permission to store their personal data.

The U.S. recognizes no such rights to be forgotten or deleted. But the Federal Trade Commission has recommended that companies collect only the data about persons they need and to delete information that is no longer necessary. Congress has introduced a “Do Not Trace Kids Act of 2011,” which would require companies to allow parent and child users to delete publicly available information about minors from a web site. The bill remains pending.

Some parents have been shocked to learn that their minor children have accumulated large amounts of debt because of the unlawful use of their Social Security numbers by others. There were more than 4,000 cases of child identity theft found in 2010 from a random pool of 40,000 American children age 18 and younger, a higher rate than for adults. Criminals like to use children’s Social Security numbers because adults have their own existing credit records under their own names.

Google and other search engine companies have argued that the Spanish consumers and others should not seek to hold search engines responsible for information they extract from the Web, but should instead seek redress against those parties that posted the allegedly private information in the first place. But many European legal experts expect the search engines to nonetheless become more regulated because they are the ones effectively spreading the information that otherwise would likely not be found.