© The Financial Times Ltd 2015 FT and 'Financial Times' are trademarks of The Financial Times Ltd.
March 25, 2014 2:16 pm
Data collection poses moral and legal issues for companies, but it is a field with as many grey areas as firm rules. 1Take video surveillance in a bank to deter criminals. Using video images, perhaps with facial recognition software, might be acceptable to detect fraud. But using that same information for marketing purposes is less acceptable and may be illegal.
“You would be allowed to scan faces to check against a bank robber database as that is protecting your assets,” says Carsten Casper, research vice-president at industry analysts Gartner. “Doing that for customer services purposes would be a step too far.”
Deciding what is appropriate and what is not is a growing challenge. New data types are stretching existing definitions of consent; powerful data analysis and data mining tools bring their own risks, as otherwise anodyne or even anonymised data can lead to the identification of individuals as technology brings data sets together.
Scott Gnau, president of Teradata Labs, which provides data storage platforms, says: “This issue has existed within data warehouses and business intelligence tools for some time. It might be OK to know my age, for demographic purposes, but not to give out my name and age; someone might misuse that.”
This has led organisations to use tokenisation of data – substituting random values for personal data, such as social security numbers – and pseudonymisation – where data are separated from personal details.
But such steps are not foolproof, and may not amount to a legal defence in the event of data loss. The European Commission only recently amended its proposed data protection regulation to allow companies to use pseudonymised data.
Privacy groups remain concerned that data mining and analysis could unravel such anonymity, either deliberately or by allowing a malicious party to combine stolen data sets, or even public domain data, to identify individuals. If such data are no longer obscured, companies could lose their legal basis for holding them.
This process works in the other direction too: if companies obtain specific data sets with the subjects’ consent, or promise anonymity, the business can be on shaky legal ground when it starts to analyse or manipulate the data.
“There are many occasions where aggregated data are far more than the individual components,” says Peter Cochrane, a consultant and former at chief of technology at BT.
He adds: “These data sets may be legitimate or legal, but their aggregation may not be.”
A further challenge comes from the emergence of new types of data, some of which hold very private information. In the US and Europe, lawmakers and privacy advocates are becoming concerned about the spread of biometric data, and especially its use by private organisations.
A desire to control the use of such information has led the US Department of Commerce to draft a code of practice with data users. Although voluntary, firms that sign up to the code of practice and break it will leave themselves open to legal action as well as reputational damage, says Miriam Wugmeister of US law firm Morrison & Foerster.
US states are also drafting their own laws to control collection and use of biometric data. The validity of such consent will depend on how data are collected. “Biometrics used for security is all good, but if that information is gathered passively maybe its use for customer services isn’t appropriate,” says John Skipper, a data privacy expert at PA Consulting Group.
Courts might also question consent if, for example, an employee is made to agree to biometric data collection or lose their jobs. For the public, “opt outs need to be very easy to exercise”, says Ms Wugmeister.
Even relatively mundane information can expose complex legal issues. Companies might record car number plates to automate car park access, or protect petrol stations against non-payers. But there maybe no justification to combine that information with loyalty card or payment card data, and use it for marketing purposes.
Smartphone use also poses difficulties as retailers are using phone signals to locate shoppers within stores, to model footfall patterns. As long as this information is anonymous, it should be legal. But if companies tie that information to individuals, the privacy and legal risks are very real.
As a result, businesses need to be clear about what data they are collecting, and why. “You can’t provide privacy unless your security controls are transparent,” says Eddie Schwartz, a vice-president at Verizon, the telecommunications company.
“You have to be a ‘crystal box’, showing your controls and oversight, and providing evidence for them.”
Data security: Six steps to help ensure you keep your company defences up
To misquote Oscar Wilde, “to suffer a cyber attack is unfortunate, but to lose data looks like carelessness”.
The damage caused by data leakage can be considerable. Under proposed EU data protection laws, it could cost a company 5 per cent of its worldwide turnover.
Here is a checklist of the key reasons for data losses and how to prevent them.
1. Make sure data are identified and classified.
A business cannot protect what it cannot see. Ask what information is being held, where, why, how important it is, and what its leakage would mean.
Governments are good at creating data classes, from “confidential” to “top secret”, but this is time-consuming.
Etienne Greeff, chief executive of information security company SecureData, says: “Rather than try to complete a full data classification exercise, start by identifying what is important to you.”
2. Discard data you do not use.
Too many companies hoard data. Holding too much creates regulatory, legal and privacy risks. Duplicate copies of data make it hard to see who is using what.
Companies should collect less and throw more away.
“Go on a data diet,” suggests Stephen Bonner, partner in information security at KPMG, the professional services firm. “Identify data you no longer need, and slim down.”
3. Control who has access to data and monitor it.
The more people who handle data, the greater the risks. Data protection laws set out basic requirements for handling sensitive personal information, but they do not cover other, equally vital types of data, such as financial files or intellectual property.
“Once you’ve identified the [data] assets, you can put in place controls to limit access,” says Sol Cates, chief technology officer at security vendor Vormetric.
Sensitive data should be stored in as few places as possible and the number of users with access restricted.
Some regulations, such as for payment cards, even legislate for this.
4. Encryption is vital.
Assume data will leak or be stolen, so switch defences to ensure sensitive data are of no value in the wrong hands.
Such information should be encrypted at every stage, including in back-up systems.
Art Gilliland, senior vice-president of enterprise security at HP, says that enterprises typically spend more than 80 per cent of their security budgets on the perimeter, which is of little use when the data are outside.
5. Secure privileged user accounts and check who has access to encryption keys.
Administrator accounts are often targeted by those planning to steal data, so limit privileged user access to those who need it. This also applies to encryption keys.
Brian Lowans, principal research director at Gartner, says: “Does any organisation have direct access to your data or encryption keys? If so, you’re increasing the risk.”
6. Have a data breach plan ready.
No company can prevent every data loss, so a plan to deal with the consequences is essential.
Mitigation will reduce reputational damage and can reduce regulatory fines.
Plans should include workers’ education. KPMG’s Mr Bonner says staff who are aware of the risks are more loyal, and more motivated to protect data.
Copyright The Financial Times Limited 2015. You may share using our article tools.
Please don't cut articles from FT.com and redistribute by email or post to the web.