News of the recent, large-scale data breach at US health insurer Anthem adds yet another big name to the list of companies that have suffered targeted attacks, compromising the personal details of millions of people. The company itself has reacted quickly with an admission, an apology, and a website with more information for those affected. But what’s the bigger picture, in terms of good practice in data custody?
First and foremost, this is an issue of trust. The data-driven world being what it is, we no longer have an alternative to being digital citizens. If you bank, pay tax, receive social security or healthcare benefits, or use a telephone, you are partly digital… and of course most of us do far more than that in the digital realm every day. No matter how concerned you are about privacy, it just isn’t realistic to expect to withdraw from the digital world, so you have to place your trust in the growing number of organisations who collect, process and share your personal data.
The Internet Society recently published its approach to cybersecurity:
We risk losing the trust of users who have come to depend on the Internet for many of life’s activities. And we believe that we also risk losing the trust of those who have yet to access the benefits of the Internet, thereby discouraging the kind of investment needed to complete the job of connecting everyone in the world.
Data breaches undermine trust, and shake people’s confidence in services from which they often cannot simply withdraw. But the problem is not confined to health insurance, or to commercial organisations, or to the US. There are plenty of examples of poor data custody in the public sector and in other countries around the world. So, what can and should organisations do to ensure that they are the best possible custodians of personal data, are worthy of trust, and – when the worst happens – can rebuild the trust of the individuals whose data they hold?
Be a good data custodian
One lesson about good practice can be drawn from Anthem’s own response to this breach. According to their website, although the data breach affected a worrying set of personal details, the company expresses confidence that it has not compromised other specific datasets such as claims data, medical information and credit card details. We don’t yet know the details of the attack, but one question, clearly, will be whether the data that was not breached benefited from protection that could have been applied to the data that was breached. For example, credit card companies insist on specific safeguards under schemes such as PCIDSS (Payment Card Industry Data Security Standard). Were some of Anthem’s data stores simply easier to access than others? Were the authentication and access controls strong enough?
It would be premature to jump to conclusions in Anthem’s case, but these principles are generally applicable:
- Compartmentalise data so that the impact of any single breach is limited.
- Restrict access to data, so that only the right users/roles and applications can unlock it.
- Increase the strength of authentication required, according to the sensitivity and scope of data accessed.
- Protect privileged users’ access with particular care.
The recent publicised attacks have targeted data at rest, as opposed to data in motion – but there’s little point securing your databases if you let the same data cross the network in clear. Data needs protection whether it’s being stored or being sent. Session-level encryption can protect data against exposure while it’s in transit, and encrypting datasets/documents before sending them will ensure that they don’t just fall out of the end of a session-encrypted ‘pipeline’ in a vulnerable form.
Any data custodian should think carefully about the privacy and security implications of measures that undermine data confidentiality, such as cryptographic “back doors” or “golden keys” to facilitate third-party access.
Remember: if you’re a data custodian and you suffer a breach, you’re not the victim: you’re the route the attacker took to get to the victims. Don’t leave that route open.
Size isn’t important
Although breaches at big, high-profile companies hit the headlines, technology makes it increasingly easy for tiny organisations to accumulate colossal amounts of data. We’re frequently told that big data is the new oil… but who would spend millions finding and extracting oil to make billions from it, but then keep it in a big plastic bucket in the back yard?
To put it bluntly: if your business model is to monetize individuals’ personal data, then protecting your raw material makes sense for you as well as them.
Prevention is better than cure
Anthem, like many organisations before them, try to reassure victims of the breach by offering credit monitoring and identity protection services. But the individuals whose personal data has been compromised still face months, maybe years, of effort and inconvenience to mitigate the resulting risk. They are at greater risk of identity theft, identity fraud, worsened credit rating, and reputational damage.
It is notoriously difficult to associate a specific data breach with the harm an individual might suffer further down the line – and that difficulty grows with each successive breach. An identity (built up from data like name, address, date of birth, social security number) is not like a credit card. If your credit card is compromised, simple: you have the bank cancel it and issue a new one. You can’t do that with your identity, yet we protect the credit card data with more care. Does that make any sense?
Where personal data is concerned, the impact of a breach is potentially so irreversible that prevention, rather than cure, must be the priority.
Recognise the real value of personal data
The hidden theme through all these recommendations is this: personal data has value, both to the individual concerned, and to the organisations that collect and process it. Too often, that value is disregarded for the sake of convenience or cost-saving. Identity data deserves just as much protection as credit card data, or medical data.
Every individual whose data you process puts their trust, and to some extent their future in your hands. Be a safe repository for their data, and a worthy repository for their trust.