The future is digital, but there’s no way to press forward without making data protection top priority
Sampath Putrevu
Friday April 27, 2018 , 10 min Read
The EU, the first to speed up data laws, plans to fine erring organisations up to 4 percent of annual global turnover or €20 million (whichever is greater). It’s time India wakes up to the cybersecurity threat and moves from white paper to law.
In 2015, two hackers, Charlie Miller and Chris Valasek, showed the world that they could get into internet systems of a car (Jeep, in this case) and do whatever they wanted with the vehicle. They could stop the brakes from working or freeze your steering wheel through a DDOS attack. This led Chrysler to recall 1.4 million vehicles of the Jeep brand and create a security patch.
Hackers could enter the car’s network through a phone, which is unsecure, when connected through WiFi and cellular. Here readers have to differentiate between two things: cybersecurity and data usage without customer consent. Cybersecurity comes in when corporations have to protect data, of consumers and customers, from external threats like hackers. But data usage, which implies the study of consumers by corporations, remains the biggest debate today. This data, although secure digitally, in most cases, is considered a breach of trust without implied consent of the user.
Mahesh Lingareddy, Chairman and Co-founder of IoT company Smartron, says, “Security has to be looked at not just in securing devices. It has to be looked at how data is being used as a whole; it involves protection of customer data and using it with their consent.”
Today, consumers are a part of a matrix, like the movie where people were platooned into anonymous sets of variables based on patterns. They are served “appropriate content” based on these patterns. Most of us press the “I agree” button on apps without considering the implications of sharing data. But securing this data from hackers and unscrupulous corporations is the key question.
Keerti Melkote, Founder of Aruba Networks, a vendor of data networking solutions, says “The future is digital. As the digitisation drive in SMEs and large corporations becomes necessary, every customer and consumer has to follow in the digital journey.”
This is where laws are coming in to protect the consumer.
The law everyone has to watch out for
With all data going digital, consumption and trade data are part of a network that needs to be secure from several perspectives. The Cambridge Analytica data snooping allegations are just the beginning of a series of lawsuits against businesses for snooping into consumer data and studying their networks without consent.
Many may think of this as a doom-and-gloom situation, but there is a way out. The European Union (EU) has given startups and corporations two years to protect data of consumers and give them an opt-out option. The deadline to be compliant is May 25, 2018, and has stern penalties of millions of dollars.
In India, we are still in a white paper stage in India and it’s vital to speed this up into law because all our data is digital and sitting in global data centres.
How does the EU law aim to help protect consumers? This law, called the General Data Protection Rights, offers:
- Increased territorial scope (extra-territorial applicability): The GDPR will apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-EU businesses processing data of EU citizens will also have to appoint a representative in the EU.
- Penalties: Under GDPR, organisations in breach can be fined up to 4 percent of the annual global turnover or €20 million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements, for example not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines. So a company can be fined 2 percent for not having their records in order (article 28), and not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors - meaning “clouds” will not be exempt from GDPR enforcement.
- Right to be forgotten: Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include data no longer relevant to original purposes for processing, or a data subject’s withdrawing consent. It should also be noted that this right requires controllers to compare the subject’s rights to “ public interest in the availability of the data” when considering such requests.
The key to remember is that fines are enormous if startups from India, serving Europe, get compliance wrong. From now on, startups may well need a chief data protection officer to enforce rules in the organisation and protect them from any liabilities.
Sonal Puri, CEO of Webscale Networks, a cloud management and hosting services provider, says: “What you have to do is secure data in each region. It should be within the boundaries of the nation that you serve.”
It’s not just the EU. There is also an American equivalent coming out soon, but the Americans have not defined the scope of digital data under one unified data law.
As noted above, the GDPR represents a very different model from US privacy laws. According to consulting firm PWC, multinationals that best succeed in staying off of the radar of EU privacy regulators are those that will be able to equip, train, and test an EU first-response team on an EU privacy incident-response playbook well ahead of the May 2018 deadline.
Meanwhile, Indians who enjoy their online movies and food ordering, need to understand that they can opt out from being snooped upon, but can give consent for data to be studied in anonymity.
India’s data protection committee is under the chairmanship of former Supreme Court Justice BN Srikrishna and aims to study various issues relating to data protection. The committee is to make specific suggestions on principles to be considered for data protection in India and suggest a draft Data Protection Bill. The objective is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected”.
India’s tryst with data protection began with many countries rubbishing the 2013 OECD Guidelines on data protection, which have been criticised as being fundamentally incompatible with modern technologies and Big Data analytics that have revolutionised how data is collected and processed.
According to the Indian White Paper on data protection, “Presently, corporations possess data that has been generated or collected from a wide variety of sources. Such data may include financial data, employee data, and customer data. It may be relevant to note that at the time when the OECD guidelines originated, data processing, including collection activities, were more linear and easier to define. However, now the situation has changed with data being collected and used in ways not envisaged at the time these principles were developed. We have, as a consequence, been ushered into the era of modern technologies and Big Data analytics. While Big Data does not have a precise definition, it can be understood as essentially involving gathering large quantities of data and applying innovative technology (such as predictive analysis) to them to extract knowledge.”
So, as an Indian consumer, expect a Data Protection Law, soon. It was introduced as a Bill in the first week of March 2018 in Parliament, and has been sent for amendments. It will be tabled again in May.
Sarv Sarvanan, GM of the Dell Centre of Excellence in Bengaluru, says: “There is no doubt that all consumer and client data should not be sold to third parties, and requires consent of individuals before it applied for knowledge.”
Now that we have put securing consumer data from being used without explicit consent out of the way, here is why cybersecurity is also the key to the future.
A brief on cyber-security
A paper on data vulnerability and data security throws light on the dangers of digital breaches apart from corporations or politicians using them for crunching data without consent.
The paper goes back to the connected world experience and sticks to cars. The paper says: “Modern vehicles incorporate tens of electronic control units (ECUs), driven by as much as 100,000,000 lines of code. They are tightly interconnected via internal networks, mostly based on the CAN bus standard.
“Past research showed that, by obtaining physical access to the network or by remotely compromising a vulnerable ECU, an attacker could control even safety-critical inputs such as throttle, steering, or brakes. In order to secure current internal car networks from cyberattacks, detection and prevention approaches based on the analysis of transmitted frames have been proposed, and are generally considered the most time- and cost-effective solution, to the point that companies have started promoting aftermarket products for existing vehicles.”
The researchers present a selective denial-of-service attack against the current network standard in cars that does not involve the transmission of any complete frames for its execution, and thus would be undetectable via frame-level analysis. As the attack is based on “protocol” weaknesses, the researchers say all connected car implementations by all manufacturers are vulnerable.
Rahul Sasi, Founder and CTO, CloudSek, an AI-based risk management enterprise, says, "When it comes to cybersecurity, the information gathered in the connected world can be used by a malicious attacker for phishing. Phishing is a type of social engineering attack often used to steal user credentials, including passwords and credit card numbers.”
This occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. An attacker can use the above data to create a very relevant and personal phishing email that would trick you into giving your sensitive information.
“Apart from emails, attackers in the past have also used Ad-Networks to launch phishing attacks. So Big Data leaks combined with ad-networks can be deadly as well to end-users,” Rahul says.
According to PWC, 87 percent of global CEOs say that they are investing in cybersecurity to build trust with customers. Nearly as many (81 percent) say they are creating transparency in the usage and storage of data. Unfortunately, less than half of CEOs say they are taking these actions. Further, a third of African CEOs and nearly a quarter of North American CEOs (22 percent) say they are “not at all” creating transparency in the usage and storage of data.
Gartner Inc forecasts worldwide enterprise security spending to total $96.3 billion in 2018, an increase of 8 percent from 2017. Organisations are spending more on security as a result of regulations, shifting buyer mindset, awareness of emerging threats, and the evolution to a digital business strategy.
Ruggero Contu, Research Director at Gartner, says: “Overall, a large portion of security spending is driven by an organisation’s reaction towards security breaches as more high-profile cyberattacks and data breaches affect organisations worldwide.”
“Cyber attacks such as WannaCry and NotPetya, and most recently the Equifax breach, have a direct effect on security spend, because these types of attacks last up to three years," Ruggero says.
The losses from cyber threats are real. Accenture tells us that the average cost of damage from cybercrime each year is $11 million.
Despite the advances in technology, the world is becoming extremely complex. Our lives are all about numbers, figures, and averages. While these statistics will make us efficient, they can also be used to manipulate us. Go digital for sure, but ask your digital business service provider to give you an assurance on security. Then, Big Data won’t be so bad.