Every day companies collect data; client and vendor details, ID numbers, addresses, phone numbers and of course transactional data. This data is typically stored within complex and well-secured accounting or Customer Relationship Management (CRM) tools.
As consumers, we part with our data on a daily basis, it is shared via mobile apps that we load on our cellphones, we log into new apps with our Google or Facebook credentials and share our passwords and e-mail addresses in the process.
It's quite common to have your driver’s licence scanned as you enter a complex, your vehicles registration disk too – but where does this data live; and for how long is it stored?
As consumers, we have very little idea or control over how this data is used, yet we part with our personal information for something as simplistic as ordering a pizza. One has to remember that the overriding requirement of the company collecting the data is to conclude a transaction or sale and record it against the correct consumer – data privacy and security is sadly a secondary concern in this process – and that’s where the problems begin. While companies around South Africa have firm data retention policies in place by now, and are well versed with the onerous requirements of the Protection of Personal Information Act (POPI), one has to explore whether this is tick-box policy or if sufficient controls have actually been implemented to give POPI compliance serious acknowledgement.
The fundamental intention behind POPI is to force companies to be more privacy-centric in the way that they retain and store client data and, of course, to take the appropriate measures if data is in any way breached.
This brings us to question as to what exactly a breach is. Is it the same as a hack? What’s the material difference and does it matter?
A data breach typically occurs when poor security or policy has allowed an outside party access to data that they shouldn’t have access to – or even access to more data than they should reasonably be able to acquire.
A hack, by contrast, is the forcible entry to a computer with the intent to extract data and/or cause harm to the network and data contained on it.
In layman’s terms, one could liken a hacking incident to a housebreaking, while a data breach would be more akin to “criminal trespass” where the front gate and door were carelessly left open and unattended.
With the right technical abilities, data can be harvested from servers that are placed online containing valuable client information. Data security policies are more important now than ever before.
Fortunately, the Information and Communications Technology (ICT) sector has many different standards and best practices available to guide companies on the appropriate measures for responsibly securing valuable client data. These include ITIL, CISP and CISM as well as a veritable array of ISO standards that guide on proper levels of data security.
We all know that security is a grudge purchase and consequently budgets are easily reduced when financial pressure mounts or other ICT needs are identified.
In the past two years, South Africa has seen substantial data breaches, with the more recent notables being Dischem via a service provider, Transunion, Experian, Standard Bank and Debt-In as a provider to Africa Bank.
These data breaches have caused millions of consumer data records to be placed “in the wild”, out there in cyberspace and available for sale or trade. Data includes South African ID numbers, full names, addresses and contact numbers in many instances.
The sheer volume of breached data is staggering - and a goldmine for cyber criminals.
Armed with the data exposed in breaches, savvy criminal networks are able to impersonate banks and credit providers convincingly, using telesales style scripts and micro-call centres. Armed with the data, calls are made to unsuspecting consumers to “sell them services” and acquire more data or to impersonate bank fraud departments and social-engineer victims into giving up One Time Pin (OTP) codes over the phone thinking they are confirming a fraud – meanwhile they are giving confirmation OTPs to the criminals who are merrily shopping online at their expense.
The key to data breaches is that the data becomes searchable from all directions. While in its native format most data can be searched through the companies’ systems by limited input fields, breached data can be restructured and searched by new variables such as address, e-mail address, partial phone numbers and more. With this ability, criminals can profile and match targets, know their neighbours’ names and add a whole new layer of complexity and believability to their schemes.
The POPI act clearly denotes the responsibility of companies to exercise due care with the protection of consumer information and levies hefty penalties for noncompliance. It also deals with the requirement of the company to notify the regulator of any breach incident so that statistical data can be tracked on breaches and that consumers can be forewarned that their data may be exposed. When one considers the penalties attached to reckless data retention and management as well as the direct undeniable risk to the consumer at large, it becomes clear that data-privacy needs to be taken seriously.
It is more prudent than ever that companies revise their data retention policies and adhere to the principle of the least data availability to do the task when assigning user privileges and developing systems. POPI compliance needs to be factored into employment contracts, acceptable use ICT and even Bring your own Device (BYOD) policies.
The genesis of Data Protection lies with policy. Policy on its own, however, is simply administrative and needs strong adherence, regular revision and testing. This must be intertwined with revision of legacy IT systems and data controls to ensure that data is properly encrypted, stored and secured.
Only when companies embark on serious introspective investigations of the way in which they work with client/consumer data, will we start to see a reduction in data breaches and the accompanying rise in incidences of identity theft, commercial identity theft, application fraud and cybercrime.
It behoves the modern business to be critical of their own controls and audit these with regularity and integrity to build an overall picture of risk areas and required risk mitigation.
For more information, contact your local Moore firm here.