Privacy

ISO 27701 is an international standard that helps organisations manage and protect personally identifiable information (PII). It builds upon ISO 27001 – Information Security Management Systems (ISMS) by providing specific guidance on implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).

Having recently reviewed the standard and the options to update an ISMS to include PIMS and considering working towards obtaining the ISACA Certified Data Privacy Solutions Engineer (CDPSE) qualification, this article contains a selection of issues that could severely impact privacy. I don’t intend this article to be exhaustive but rather to provide a good overview of things to consider when implementing this standard, conducting privacy-related audits, or complying with other legislation such as the General Data Protection Regulation (GDPR).

Inadequate incident response

A poorly defined or inadequate incident response plan can lead to delayed or improper handling of privacy breaches, escalating the damage and complicating recovery efforts. An ineffective response can erode trust and result in significant legal and financial repercussions. Swift and efficient incident response is critical for mitigating the impact of privacy breaches. Countermeasures include:

• Create and maintain an adequate incident response plan.

• Conduct regular drills to ensure all employees understand their roles and responsibilities.

• Update the incident response plan to reflect current threats.

Third-party risks

Failing to conduct third-party due diligence properly can lead to privacy breaches. If third parties do not adhere to the same privacy standards, they can become a weak link in data protection. Uncontrolled third-party access can expose sensitive information to significant risks. Countermeasures include:

• Conduct thorough due diligence and regular audits of third-party vendors.

• Include strong privacy and data protection clauses in contracts with third parties.

• Continuously monitor and assess third-party practices.

Insufficient access controls

Granting employees unnecessary access to sensitive information increases the risk of data breaches. Excessive permissions can lead to both accidental and malicious data misuse. Unrestricted access can result in significant vulnerabilities and data privacy issues. Countermeasures include:

• Implement the principle of least privilege, ensuring employees have access only to the data necessary for their role.

• Regularly review and adjust access controls based on changes in employee roles.

• Use role-based access control (RBAC) to manage permissions.

Unsecured transmission

Employees might bypass encryption and other data protection measures to complete urgent tasks. This oversight often stems from cumbersome technology, recipients unable to handle encrypted messages, or insufficient training on secure data transmission. Unsecured data transmission increases the risk of interception by unauthorised parties, potentially leading to data breaches. Countermeasures include:

• Conduct regular training and support.

• Ensure privacy protection technologies are user-friendly.

• Provide comprehensive support documentation to help resolve common problems.

• Clearly defined responsibilities and accountabilities.

Weak password practices

Using weak or shared passwords among team members increases the risk of unauthorised access. Password reuse across multiple platforms exacerbates this vulnerability. Weak password practices are a common entry point for cyberattacks, compromising data security. Countermeasures include:

• Implement a policy that requires complex passwords.

• Use multi-factor authentication (MFA) to add an extra layer of security.

• Provide training on password practices.

Lack of regular audits

Businesses may fail to identify vulnerabilities or comply with privacy policies without regular audits of privacy practices and data handling processes. This oversight can lead to significant privacy breaches and regulatory penalties. Regular audits are essential for maintaining data security and compliance. Countermeasures include:

• Perform regular audits of privacy practices and data handling processes.

• Use audits to ensure compliance with privacy policies and regulations.

• Proactively identify and address potential risks through audits.

Neglecting data retention and disposal policies

Failing to comply with retention policies will increase exposure in a data breach. Employees might leave sensitive documents unsecured or neglect to wipe data from old devices, leading to significant privacy breaches if the data falls into the wrong hands.

Countermeasures include:

• Develop and enforce policies for secure data disposal.

• Ensure that you shred, wipe, or render irretrievable all sensitive information before disposal of equipment.

• Conduct regular audits and provide training on proper data disposal practices.

Sending files to incorrect recipients

One of the most prevalent issues is the accidental transmission of sensitive data to the wrong email addresses. Email software that auto-adds addresses from previous contacts increases the likelihood of such errors, usually discovered only after the fact. This mistake can result in unauthorised individuals accessing sensitive information, leading to significant privacy breaches. Countermeasures include:

• Encourage employees to double-check recipient addresses.

• Implement email verification steps before sending to unfamiliar addresses.

• Use email prompts for confirmation.

Social engineering attacks

Employees may become victims of social engineering attacks, such as phishing, which can lead to the inadvertent disclosure of sensitive information. Social engineering exploits human psychology to bypass technical security measures. These attacks can significantly compromise data privacy. Countermeasures include:

• Provide regular training on recognising and responding to social engineering threats.

• Implement multi-factor authentication and email filtering.

• Improve awareness and vigilance among employees to defend against social engineering.

Lack of privacy by design

Not incorporating privacy considerations into designing new systems, products, or processes can lead to vulnerabilities and compliance issues. Overlooking privacy in the development stage can result in significant risks and challenges. Privacy should be a foundational element in all business systems. Countermeasures include:

• Integrate privacy by design principles into project management and development processes.

• Conduct privacy impact assessments during the early stages of any new initiative.

• Ensure privacy is built into systems and processes to prevent future issues.

Collecting too much data

Despite clear privacy policies, employees may forget the specifics amidst their busy schedules. If employees collect more data than necessary, it risks privacy incidents and potential legal repercussions for not adhering to the company’s privacy commitments. Over-collection can lead to storing unnecessary data, increasing the risk if this data is compromised. Countermeasures include:

• Educate employees on the principle of data minimisation.

• Encourage the use of internal identifiers instead of government IDs.

• Implement techniques like truncating, masking, or scrambling data.

• Provide regular reminders and training on data minimisation.

I have lost count of the number of firms that have asked me for my date of birth when there is no legitimate need for them to know or store such information. Some businesses even ask people to confirm their date of birth when they don’t already have it so they can add it to their records.

Inconsistent business processes

Rapid business responses can lead to changes not being communicated, resulting in processes not aligning with documented privacy policies and exposing the company to legal and civil actions and operational risks. Unvetted changes can lead to significant vulnerabilities and compliance issues. Countermeasures include:

• Establish a robust change control process, including privacy impact assessments.

• Document all changes in a central repository.

• Ensure all changes are vetted and documented to maintain alignment with privacy policies.

Being overly helpful

Employees often go above and beyond to meet clients’ needs, sometimes sharing more personal information than necessary. This well-meaning behaviour can expose sensitive data to unauthorised individuals. Without proper guidelines, employees might not recognise the limits of information sharing, inadvertently causing privacy breaches. Countermeasures include:

• Provide continuous and targeted privacy training.

• Conduct follow-up sessions and periodic knowledge checks.

• Ensure employees are aware of what information is appropriate to share.

Multitasking

Juggling multiple system windows heightens the risk of privacy incidents. Employees might enter data into the wrong screen, leading to incorrect data transmissions. This error is often due to distraction or confusion, increasing the likelihood of privacy breaches. Countermeasures include:

• Encourage focused work practices and limit multitasking.

• Implement system controls that highlight or lock fields for sensitive data.

• Establish mindful data handling.

Employee turnover and onboarding

High employee turnover can lead to lapses in privacy training and knowledge transfer. This gap can result in an increased risk of privacy incidents and non-compliance. Countermeasures include:

• Ensure comprehensive privacy training during staff onboarding.

• Conduct regular refresher courses to maintain knowledge continuity.

• Maintain up-to-date documentation and resources for employees to reference.

Building a privacy culture

Addressing privacy risks is a continuous effort that requires a team-wide commitment across the business. Collaboration among various business units is essential to build strong relationships, identify privacy challenges, and develop training and practical resources. In response to incidents, it is critical to assess control failures to minimise the likelihood of future occurrences. Please remember that improving privacy controls is a continuous journey, not a destination.

Although I am currently focusing on integrating ISO 42001 into ISO 27001, I see a more long-term strategy that includes ISO 27001, ISO 42001, and ISO 27701 working together as a combined management system.

General Data Protection Regulation (GDPR) became law in the UK exactly one year ago, and this article reports on personal observations over 12 months. GDPR has created greater awareness of best practices for handling personal data because of the fear of financial penalties of up to 4% of annual turnover or 20,000,000 Euros, whichever is higher. During this time, a significant number of complaints have been made to data protection authorities requesting investigations and some have resulted in financial penalties.

More information is available at https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

For UK readers also visit the website of the UK’s Information Commissioner’s Office:

• For organisations:  https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/

• For individuals: https://ico.org.uk/your-data-matters/

Email Notifications

I have received many privacy notifications from companies stating that they hold and process personal data. Roughly 50% of these notifications were from businesses with which I had no prior contact or to which I have not given consent to process data.

• Requests for data removal have resulted in a need to provide for more personal data to confirm my identity

• Two businesses wanted a scan of my passport or driving licence before they would remove the data

• Some email notifications indicated that removal of personal data required recipients to login and change their data settings

Observations suggest that:

• How some businesses have chosen to implement GDPR forces people to jump through hoops to have their data removed

• Hackers can easily use GDPR related emails for phishing. With everyone expecting such emails in response to the introduction of GDPR, many removal requests could already have resulted in more personal details than before being processed inappropriately.

Date of Birth

Use of Date of Birth as a security question has increased. I’ve said many times that people should not use immutable facts for security. Still, the point here is that over the last 12 months companies have asked for my date of birth when in fact I would never have had a legitimate reason to give it to them in the first place.

It became evident that companies are requesting Dates of Birth for security, but the real purpose is to populate a previously blank field in their database. I put this to the test in the following two ways:

• I gave a bogus date of birth. The company accepted it as correct for security

• I told them they would have nothing to compare it against because there was no legitimate need for them to know. Following a pause, the operator checked with their manager and asked an alternative security question.

The legitimacy of these businesses is not in question, as we are not talking about potentially fraudulent companies that nobody has ever heard of; we are talking about national brands. Unless people are mindful of to whom they gave their date of birth to, it is reasonable to assume that when asked for confirmation, they would be willing to give it.

Personalised Junk Mail

The quantity of personalised mail has reduced quite significantly, but the amount of non-personal mail has increased substantially during the same period. The increase is roughly 50/50 between:

• Letters addressed to ‘owner/occupier’ without any named individual – suggests that where businesses have a refined customer list but no consent to hold personal data, they remove the names and keep targeting the addresses.

• Unaddressed mail – suggesting many businesses have chosen to deliver leaflets

More information is available here to learn how to stop receiving junk mail:  https://www.citizensadvice.org.uk/consumer/post/stop-getting-junk-mail/

Public Data Feeds

Publicly available data sources are still available free of charge, or with nominal payment, from government departments and local authorities. Consequently, 2^nd level websites and services which use publicly available data still have access to all the data, and make it available to everyone free of charge or for a fee.

Requests to remove data still result in resistance and a need to jump through hoops, including significantly more personal information before taking action. The removal is only effective until a replacement data feed to processed. No evidence is available to indicate that a separate list is available to ensure that removal requests are permanently applied.

This information is more than sufficient for fraud to take place. Yet, to my knowledge, nobody has ever consented to this information being made available publicly by authorities or given consent to 3^rd party organisations to process this data and sell it online. Such businesses can, however, claim a ‘Legitimate Interest’ under GDPR.

A data broker can claim to have a legitimate interest because their source of income is from the sale of your data. Although data privacy advocates would like nothing more than to see some of these businesses cease to exist, and this has come up in conversation many times over the last 12 months, this is unlikely to happen any time soon because the businesses are highly profitable. Their business purpose is to profit from your data, so they have a ‘Legitimate Interest’ in processing it; potentially a court case waiting to happen in the future to define the boundary with case law.

Increased User Accounts

More and more websites insist that online accounts are required to make purchases. There are many business reasons for mandatory user accounts, and an increase over the previous 12 months could be a coincidence. However, a user account does address the issue of maintaining data accuracy as a user account will essentially transfer responsibility for data accuracy to the user, who can log in and edit their data. Also, over the last 12 months, I have observed several accounts created without my consent, along with emails inviting me to verify details.

There are long term security implications to consider:

• People can quickly lose track of user accounts over time, if at the time of placing an order, creating an account was mandatory despite knowing it would likely be a one-time purchase. Equally, an issue is if security questions are used based on historical facts.

• Many websites still send passwords by email in plain text in response to forgotten password options. However, sites are increasingly switching to a more secure reset process.

• Sites could store credit card details in the accounts to which people no longer have access

• Re-use of logon credentials and security questions between sites increases the risk of more important sites begin compromised

Not everyone maintains an inventory of user accounts; in fact, it is more likely that very few people do. More user accounts mean more opportunities for hacking user accounts. Many sites authenticate with Facebook or Google; however, if either these are compromised, all connected accounts are also compromised.

Increased cookie popups

Consent to store cookies has been implemented in many different ways from a visible page on the website, to popups demanding users click on a button to access cookies.

• Website platforms such as Word Press have implemented it as standard so that anyone with a website powered by Word Press will get the functionality automatically

• Website developers have implemented intrusive popups which disrupts the user experience on the site such as fading out the content of the page, requiring ‘accept’ to be selected before the visitor can read the page. Not allowing selection of the ‘accept’ button until the entire page has downloaded and not providing an option to ‘decline’.

• Many sites don’t have a ‘decline’ option’. Although websites often need cookies for the duration of the session or security, these reasons are no in the regulations. Website developers choice to have either ‘allow’ or ‘leave’ creates a new problem. People will ‘allow’ as an automatic response which in the long-term will render the concept useless. Rather like the millions of people who tick a box to say they accept terms and conditions, but never actually open and read them.

More information is available at:

• European Commission https://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm

• UK Privacy and Electronic Communications Regulations (PECR) https://ico.org.uk/for-organisations/guide-to-pecr/what-are-pecr/  

In the digital age, businesses place much emphasis on protecting electronic data, but very little seems to have changed in the way of protecting data on paper. Here are a few examples:

• Charity – I am often approached on the street by a representative of a charity wanting monthly donations by direct debit. While listening to information about the charity, large quantities of personal data are often visible. The number of times bank details, names and addresses from earlier in the day are visible to me while engaging with charity staff, is quite incredible. We are not talking about obscure charities, but mainstream national and international names.

• Banking – I recently entered one of my banks and was asked questions in the doorway about insurance products. The sales approach was to find out what people needed, then arrange a follow-up call to discuss the needs in more detail. This information was visible on a clipboard which included full name, address and contact telephone number. Again, this was at a high-street bank branch.

• Car Hire – I once arrived to collect a car, only to see all the customer contracts arranged on the counter for everyone to see. The top pages included full names and addresses, price information and contact telephone numbers. These included my details.

• Street Stands – most people will have at some point been approached by people asking what broadband they use, or what utilities they have, a pretext for a conversation about how their services are better value for money. So much personal information is visible to other people as a result of this activity. With so many new brands emerging and advertising in this way, it is conceivable that someone could set up a stand for gathering information for identity fraud. Conversations are often very intrusive and far exceed what is reasonable. Street stands advertising credit cards have become very popular over the last couple of years.

People need to be more careful. Beyond what I observed while interacting with businesses, I have also noticed the following while working professionally over the years:

• Printed documents left abandoned on a printer for everyone to see. This disclosure includes visitors, and staff that may not be authorised to know the content; not to mention cleaning companies which often have a high staff turnover. Printers are available that require people to log on to print their documents. Unprinted documents are deleted from the queue if not collected, which saves paper as well as improving data security.

• Documents left in meeting rooms instead of being securely recycled

• Visitor sign-in sheets which sometimes include more details than needed

• Unlocked filing cabinets and desk draws

• Documents left on desks overnight

It is clear that while a significant focus is on digital data protection, exposure of personal data on paper is high.

With the introduction of the General Data Protection Regulations (GDPR), how close are we to a culture of GDPR compensation claims? With so many companies within the EU holding personal data, and an unprecedented challenge to adhere to the regulations, how vulnerable will companies be to future claims? Individuals may not have the time or energy to deal with litigation. Many many failures will go unchallenged, but delegating such activity to law firms and new businesses established for this very purpose could place an increased amount of stress on firms to comply with requests. Also, how will cyber insurance policies will be adapted to protect against such claims; a new level of litigation in the making perhaps.

The traffic accident compensation culture has evolved quite significantly in the UK, and the number of personal injury claims is at an all-time high. They have increased to the point that almost immediately following an accident, claims management companies are lining up to take on cases. Television channels and websites inundate with commercials offering no-win-no-fee arrangements and insurance policies either include legal support or make it available to customers as an add-on option. The following are indicators of what is emerging, although the coffee machine chatter on the subject shows a difference of opinion on what the market place will look like two years from now.

• Businesses are increasingly using a thought leadership approach to demonstrating understanding and credibility in data protection related issues, particularly in the insurance and litigation spaces. Generally, companies and individual professionals are positioning themselves as experts in the field.

• Published reports and surveys indicate that large numbers of businesses are unprepared for GDPR compliance, suggesting the number of potential claims will be high

• Issues which lead to businesses being open to litigation are highly likely to involve many customers and less likely to be one or a handful of individuals. The lack of compliance is more likely to be systemic. Rather than an individual making a claim and approaching a law firm, litigation is more likely to be driven by events taking place or failures identified, then finding the customers willing to jump on the bandwagon.

• There is a growing compensation culture within the UK. Not to say that people are not entitled to claim if they have suffered a loss, but rather it illustrates a change in attitude. What was once (in my lifetime) a ‘get up and move on’ approach, it is more likely now that someone suffering a loss will first be thinking ‘can I claim compensation’.

• Politicians have complained about the adverse effects of excessive litigation on the economy and society. Politicians have also given undertakings that if elected into government, they would ‘cut out the cancer of litigation’.

• Many new pieces of legislation are being introduced, which gives people the right to compensation if they suffer a loss. It is reasonable to expect that people will exercise such legal rights, and depending on the magnitude at which this happens, the process will need effective management.

These are indicative of a growing risk to companies who manage large quantities of personal data. Also, there is an increasing opportunity for existing companies and new companies to emerge to deal with both protecting organisations and to deal with litigation against failures to comply.