The number one risk that companies face in 2016 is that of their data falling into the wrong hands, either from someone losing it or someone stealing it, according to audit executives polled by CEB at the end of last year.
In the roughly eight months since the annual “hot spots” report was compiled, the topic has generated many more headlines. As the altercation between Apple and the FBI revealed, the debate about who should have access to what data continues to rage. On the one hand, the US government is pushing for legislation that would provide law enforcement with easier access to information.
On the other hand, EU authorities believe the world needs to create a more stringent data protection regime, and last year opted to pull out of the “safe harbor” agreement that allowed companies to store EU residents’ information in the US.
Uncertain Regulatory Climate
Since the October 6 decision to suspend the 15 year-old safe harbor agreement, the EU parliament formally approved the General Data Protection Regulation (GDPR) on April 14 of this year. This will grant Europeans new protections and to put a single standard into place across the (currently) 28 nations in the EU. Companies have two years to comply with GDPR.
European national data protection watchdogs are also looking at “privacy shield,” (pdf) which is a proposed bridge between safe harbor and the GDPR.
The Article 29 Working Party, which represents data protection authorities at the country level, is particularly critical of privacy shield – throwing data transfer arrangements “into limbo,” says The Register. The European Commission is trying to revise privacy shield and address the group’s many concerns.
What’s certain is that GDPR rules require companies to take new operational steps, that include the following:
Appointing a data privacy officer.
Implementing privacy impact assessments.
Expanding breach response protocols.
Identifying cross-border data transfers.
In the meantime, binding corporate rules (which can be onerous and expensive) and model contract clauses (which are straightforward but impose obligations) were sanctioned by the Article 29 Working Party. See this post for more detail on those options.
However, even model contract clauses — the most popular alternative to Safe Harbor – have recently come under attack. On May 25, the Irish Data Protection Commissioner announced it would ask the EU Court of Justice to review whether standard language that Facebook uses will deliver adequate opportunities for redress if European citizens’ rights were compromised by US authorities.
Meanwhile, Data Breaches Are On the Rise
As of May 10, 378 data breaches were reported this year — 24% more than the number reported over the same period in 2015, according to the Identify Theft Resource Center. These can be unnerving for consumers. For example, it was recently revealed that 117 million LinkedIn user names, e-mail addresses, and passwords are for sale online — four years after the breach.
Verizon’s 2016 Data Breach Investigation Report provides some disturbing data too.
63% of breaches in 2015 occurred because of weak, default, or stolen passwords.
30% of phishing messages were opened up from 23% in Verizon’s 2015 report.
13% of those who opened phishing messages then clicked on the malicious attachment or link.
85% of successful attacks exploited the top 10 known vulnerabilities in spite of the fact that patches were available.
“You might say our findings boil down to one common theme—the human element,” said Bryan Sartin, executive director of global security services, Verizon Enterprise Solutions. “Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors we’ve known about for more than a decade now.”
The bottom line is that other professionals agree with Sartin. Sixty-six percent of data protection and privacy training professionals believe that employees are the weakest link in the fight against data breaches, according to a recent report cited in Dark Reading.
How Audit Teams Should Respond
From a regulatory perspective, internal audit teams should work with relevant functions (e.g. Compliance, Legal, and Data Privacy) to make sure that the firm is prepared to adapt to and comply with impending GDPR regulations.
For instance, internal audit teams are well positioned to lend expertise in helping the firm prepare for impending privacy impact assessments. And, as more firms look to hire a data privacy officer, help managers set-up a data privacy program.
Ultimately, audit teams can help senior management feel more comfortable by reviewing the processes related to the collection, analysis, storage, and sharing of personal information and make sure that the appropriate controls are integrated into all projects and initiatives.
Given the pervasive human nature of this threat, audit teams should frequently test the effectiveness of privacy training and awareness campaigns, and recommend appropriate improvements. They should also consider distributing this to business unit heads to help audit and risk teams understand how aware employees are of data privacy risks throughout the firm.