Not all data is created equal. When organisations talk about “data” and data security it can be easy to see it as a soulless string of ones and zeros. In reality, it could be some of our most personal information; from our home address and telephone number to our bank account details or our holiday photos. So, it’s easy to see why there are certain types of “data” we would want organisation to guard more closely.
Around the world, Governments are looking to implement mandatory data retention programmes to support national security and law enforcement initiatives in the new world of cyber-crime and terrorism. Telecommunications companies, in particular, are being asked to retain certain types of meta-data to support investigations.
However, there needs to be clarity around the type of information that would be retained, what it would be used for and how it would be kept secure. Australian Privacy Commissioner Timothy Pilgrim: “There is the potential for the retention of large amounts of data to contain or reveal a great deal of information about people’s private lives. This data could be considered ‘personal information’ under the Privacy Act.”
The Growth of Big Data has had the effect of de-humanising the information that traverses public and private networks. In this climate of increased eavesdropping, data theft or malicious attacks, it is essential for organisations to protect the information itself, both at rest and in motion.
Proposed data retention programmes represent an opportunity for Government to provide robust guidance and send a message to commercial organisations that they cannot afford to take a financial, risk-based approach to information security.
National data security policy
The cornerstone of a sustainable, efficient and growing digital economy is confidence in the integrity of the digital infrastructure. Protecting sensitive data is critical to that integrity. Stakeholders must be confident their transactions and information are secure; even in the event of a successful cyber-attack.
A national data security policy or strategy would need to feature data classification to ensure the relative sensitivity of certain types of information was both identified and protected. Businesses would then be able to focus on securing high-risk, sensitive data; using robust encryption technology, where appropriate, to ensure data is rendered useless should it fall into the wrong hands.
The principle of mandatory breach notifications would support this strategy, by holding organisations to account if they fail to protect our most sensitive information. Regulations that simply rely upon “best efforts” do little to motivate businesses to act.
In addition to legislating for mandatory breach notifications, another critical factor for protecting data itself is the implementation of stricter regulatory penalties for organisations that fail to protect stakeholders’ sensitive information.
Harsher penalties increase confidence
Harsher penalties for breaches, such as the ones being planned in the EU, increase confidence and trust in the digital economy for all stakeholders – provided they are implemented alongside data classifications.
For many years, Governments have recognised the need to implement best practice data security solutions and established their own data classification and security regulations. It is now time for them to encourage and support businesses to do the same.
As with occupational health and safety, the only effective approach is to implement regulations that reflect the needs of the information age in which we live. Without such legislative measures, there is a risk that collaboration with international markets that operate under more stringent regulation will be adversely affected.
A strong national data security strategy, supported by more effective regulation and a focus on data protection (such as the adoption of robust encryption of sensitive data) will help provide local organisations with a competitive advantage. Not only will it provide better protection for sensitive information, it will signal other organisations across the world that you are a safer place to do business.
Andrew Wilson, CEO, Senetas Corporation Limited