Opinion: Jason Hart, CTO of Data Protection, Gemalto, explains how companies have to take more responsibility for their customers’ data and how employing the right data encryption, key management and security education strategies can be their “get-out-of-jail-free cards”.
The courts are making it increasingly easier for litigants to sue organisations and companies for any damages they have suffered following a cyberattack. Until very recently the onus was squarely on the complainant to show that they had suffered damage as a direct result of a data security breach, but that’s now starting to change.
The latest big data breach in the UK saw over 15,000 new and expecting parents have their personal information compromised as hackers targeted the National Childbirth Trust (NCT), stealing parents’ email addresses, usernames and encrypted passwords.
In an email to those parents affected by the breach, NCT chief executive Nick Wilkie said: "While your password is encrypted, as a precaution, I would advise you to change any password as soon as possible for other accounts or registrations that use these details. We discovered the breach today, are reporting the matter to the police and Information Commissioner and contacting all who are affected immediately."
Healthcare organisations, insurers and major retailers, in particular, are key targets for hackers, as they are treasure troves of personal information which cybercriminals can use for identity theft and financial gain. Indeed, nearly two-thirds (64%) of consumers in our recent global survey said they would be unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen and nearly half (49%) had the same opinion when it comes to data breaches where personal information was stolen.
Last year, the fallout from cases such as the Neiman Marcus data breach rulings, (in which it was decreed that customers could potentially sue the US retailer for damages due to identify theft or fraud) and the consequences of the Vidal-Hall v Google decision by the English Court of Appeal on the misuse of private information mean that companies now need to be incredibly serious about threats from cybercriminals and hackers.
These latest developments only serve to boost the importance that companies need to put on employing the best encryption techniques to protect their customers’ personal and private data.
Building consumer confidence and trust
Trust is absolutely essential in building and maintaining business and customer relationships, particularly for those organisations that hold vast quantities of customer data, with our survey revealing that there is definitely an increasing proportion of consumers and victims of commercial cyberattacks willing to take legal action against companies that have been hacked.
Around a quarter (23%) of respondents who have been a victim of a data breach, either have, or would, consider taking legal action against the breached company involved in exposing their personal information. Almost half (49%) of respondents said they would take or would consider taking legal action against any of the parties involved in exposing their personal information.
So what needs to be done to re-instil customer confidence? The fact that consumers that have been victims of data theft are also increasingly starting to take legal action against the companies that were responsible for their data, in addition to pursing cybercriminals and fraudsters, should give pause for thought to any organisation that holds personal or sensitive data on its customers.
Overall, we are seeing that confidence in corporate data security is at an all-time low and that customers are getting increasingly impatient with breached companies, with only a quarter (25%) of consumers feeling that companies take the protection of their data seriously.
If businesses and their customers don’t start to take data protection seriously, then they risk laying themselves open to identify theft, fraud and even possible liable action, if the trends revealed by the above-mentioned court cases are anything to go by.
There are four general and fundamental top tips that companies should follow when it comes to ensuring they have a rock solid data protection plan in place.
1. Multi-factor authentication – organisations first step should be to focus on the adoption of strong multi-factor authentication, which provides that extra layer of security should user IDs or passwords become compromised.
2. Encryption – while multi-factor authentication is there to help to stop information being taken in the first place, encryption provides the layer to stop customers’ sensitive data being used if it is accessed. Companies need to utilise encryption to protect customers’ sensitive data wherever it is found, that’s a given. Whether this be on-premises, virtual, public cloud, or hybrid environments. More importantly, the traditional data security mind-set has to evolve, with companies needing to approach data security with a presumption that perimeters will be breached and, as such, prepare the correct encryption and key management strategies necessary, to protect the most vital aspect, the data.
3. Key management – once a proper encryption strategy is in place, attention must switch to strong management of the encryption keys. Encryption is only as good as the key management strategy employed, and companies must ensure they are kept safe through steps like storing them in hardware modules to prevent them being hacked. After all, it’s no good having the best locks on your house and then leaving the house keys under the mat for any passing opportunist burglar to pick up!
4. Education – in order to build trust, companies need to educate their workforce and their consumers on the steps they have taken to protect their data. And it doesn’t just end there. Businesses need to employ a two-pronged approach, educating their employees and consumers on the steps they should also be taking to remain safe and protect their personal data themselves, which leads to them understanding how to protect the company’s data.