The Consequences Of Poor Data Protection
With current Model Data Protection Code (1) by The National Internet Advisory Committee, and announcement of upcoming data protection laws to be affected in 2012 (2), Singapore firms and its customer can expect stricter control by the government, and higher awareness by the firms and the customers alike. But recent incidents of security glitch highlight that, with the advancement of cloud computing and significant increase in outsourcing, the task of protecting personal data will remain a daunting task.
Recent breaches of personal data or information (PD, PI)
On April 21, hundreds of gamers of Facebook MouseHunt and the subscribers of StarHub faced loss of their virtual goods, which cost real money (3). The administrator of the game blame on the ISP and its server, and the ISP denied it. Even the paypal account of some of the customer appeared to have been compromised, and the ISP was called for action to investigate. With its fierce competitors trying to gain more market share, StarHub might lose some ground if the customers switch to other carriers. The type and extent of loss by the customers are still yet to unfold.
A former employee of UOB, and his accomplice who was a former consultant with Standard Chartered Bank were sentenced jail term and fined for stealing and selling of contact details of bank customers (4). It was a classic example of lack of control over data protection within an organization. The effect of the incidents may be of wide range, form annoying direct marketing to loss of monetary property. There should be a clear strategy, policy and procedure for access, use, and transfer of personal data.
Another example of breach of data which was managed by a third party vendor is the case when Honda customer database was hacked in December last year (5). The number of customer affected were 2.2 million in the United States, and another 2.7 million My Acura account users. Even though the company said ‘it would be difficult for a victim’s identity to be stolen based on the information that had been leaked’, the spammer might trick a customer, using the leaked personal data, to give out sensitive data like credit card information. Despite the fact that the leak was on the side of the third party vendor, the original company, whose customers were exposed, will have the risk of bad image. The IDA (Infocomm Development Authority of Singapore) has outlined the Model Data Protection Code which stated clearly that ‘Even as a company outsources its IT operations, it is still liable for the security and accuracy of information (6).”
The reason behind and the consequences of poor data protection
As the outsourcing is one of major mode of cost effective measure, more organizations are moving its services to the third parties. That means the organization has to share sensitive data with several other third parties. The soundness of security of the data thus becomes the combination of the control measures of all the companies who are sharing the same data. Below are the major issues to overcome to implement a successful implementation of controls within and outside of the organization:
(1) Complex nature and level of local and global regulatory and standards: With different geographical locations of main and third parties organization; and different level of legal framework of the regions they are residing, the control of data may become more complex.
(2) Lack of control by the main organization: With too much reliance only on the contractual clauses with third party provider, the organizations become less aware of how and which data are handled by third parties with which level of control measures.
(3) Lack of policy and procedure, or fail to implement them: The clear policy of a company and detail responsibility of data user/ controllers should be documented. The procedure and access level of use of data, and reporting system on possible breaches should be developed, disseminated to the staff, and periodically reviewed. A good policy without implementation, an implemented procedure which clash with business needs, controls procedure without adequate training and budgets will fail in the face of breaches and undermine the image of the organization.
With one or a combination of above lapse may lead to the following common consequences:
(1) Disruption of service: It might be due to compromised database, for example, of customers, or due to the possibility of rebuilt the database
(2) Loss of revenues: It might be due to service disruption or reduced market share.
(3) Loss of market share: The customers might choose to move to competitor’s brand.
(4) Loss of customer’s confidence: It might result in difficulty of retaining existing customers, and to gain new grounds.
(5) Risk of litigation: Loss of personal data may lead to regulatory fines; and criminal or civil suits by the affected customers.
The possible scenario of data breaches of XYZ Construction Pte Ltd
In this section, the possible scenario of data breach within and outside of XYZ Construction Pte Ltd, which is based in Singapore and some subsidiaries in Malaysia, Indonesia and Sri Lanka. Its suit of IMS (Information Management System) was developed and maintenance by a globally recognized ERP solution provider. The servers were outsourced and maintained by a local IT company.
(1) Deliberately misuse of company info: Data such as employees’ particular, standard quotation prices, list of clients and material suppliers, may be a good tool for competing companies. The existing employees who have the access to those data may try to transfer to outsiders.
(2) Unintentional exposure of data: It might either due to human error or through system (hardware, software) glitch.
To prevent those possible incidents, the control measures, which can be incorporated into the company’s Data Protection Regime, will be discussed in the next sessions.
(B) Key Aspects of Data Protection Regime
With the significant increase in media stories similar to those stated in part A, the organizations need to have complete understanding of the type of data they are sharing to third parties, and whether the existing control measures of the company and the third parties are sufficient. It can be seen from those media stories that even with a policy of data protection, fail to implement it or support it with realistic control procedures with adequate budget and training can lead to unauthorized data transfer intentionally or unknowingly.
The main steps to fulfill the data protection requirements, together with the procedures to be implemented for XYZ Construction Pte Ltd will be discussed below. As Singapore is still developing its set of data protection laws, we will base on the current Model Data Protection Code for our implementation. The general steps below are from the notes by Data Protection Commissioner of Ireland (7).
1. Strategy: The Company will have to nominate a group headed by a DPO (Data Protection Office) to structure the overall strategy to meet company’s objective and current legislations. The DPO will also have to outlines key requirements, such as reporting structures.
2. Data Inventory: It is to identify all the data to be protected, and flow of those data, starting from collection, storage, usage, maintenance and disposal of the data, either in electronic or physical form. The Case 2 in Part 1B highlights the failure to recognize the leak of data on wrongly printed paper at shared printers.
3. Requirement Definition: Even with Asia, there are fundamental differences in legal and regulatory requirements. Those differences need to be identified and addressed since the company is operating in diriment regulatory environments. The regional difference of Facebook MouseHunt game developers (Canada) and StarHub (Singapore) show the complexities of legal framework if a subscriber wants to pursue a legal action on them.
4. Risk Analysis: An appropriate policy with risk analysis should include the requirements tailored to the reinvent jurisdiction. The different requirements of data protection will entails different mode of collection, storage and retaining of the data, and it will in turn affect the customers’ experience.
5. Data Protection Policy: The policy should include detail role and responsibility, use of data for direct marketing, training, budget, etc.
6. Data Protection Procedures: The conflit of interest will arise when the company may want to use customers’ data for direct marketing. The procedures on when and what data are allowed to use as per customers’ sign-off agreement. To avoid the case like a UOB employee selling customer’s info, the data access request should be developed. It should also include data retention and destruction procedures.
7. Data Management Control: The Company will identify and analyze business processes, and develop controls for each process.
8. Technology-Enabled Tools: Without hindering adequate access to data, the company should adopt data monitoring tools to watch movement of data.
9. Training: It is a critical requirement to successfully implement the company’s policy and procedures.
10. Monitoring: The periodic review of policy and procedure within and outside of the company will ensure ongoing compliance.
As the personal technology advances, such as portable data storage and mobile devices, to prevent the loss of personal data of the customer and employees is a growing challenge for the company to prevent the breaches within the organization and from the third parties, software developer and server maintenance. The detail procedure, implementation and monitoring are of most important steps to incorporate into the company’s data protection strategy.
(6) http://www.ida.gov.sg/Sector Development/20090319164535.aspx
(7) http://www.deloitte.com/assets/Dcom-Ireland/Local%20Assets/Documents/ie_AccountancyIreland_Data%20Protection_0209.pdfOrder Now