News Alert:

Avoid AED 10,000 penalty by registering for Corporate Tax today!

Insights

Cybersecurity And The Ever Growing Concerns On Data Privacy And Protection

November 01, 2022

The recent conviction of Uber’s former Chief Security Officer by a US federal jury on 5 October 2022 for ‘obstruction of proceedings’ (read ‘cover-up’) over a customer-data hack incident puts the spotlight squarely back on the growing seriousness with which the world views issues of consumer data privacy, protection and security. The incident itself relates to a ransomware attack on Uber in 2016 which led to the privacy breach of 50,000 consumers’ personal information including their names and driving license numbers were exposed.

Cyberattacks are on the Rise

Such attacks have been growing fast in recent years as the world gets more connected. In fact , even with this incident, the hackers were found to have gone on to try a ransom attack on another company – Lynda.com – before being finally caught and convicted in 2019. Each year brings its own large – and rising – number of high profile cyber-attacks. In May 2022 , an attempted ransomware attack on Indian airline SpiceJet in May impacted an entire morning’s flight schedules before it could be thwarted. Between February and March, separate hacks in Toyota’s supplier’s systems caused production halts and other disruption across Japan, Germany and the USA. An attack on Microsoft compromised important products like Bing and Cortana. Nvidia , the largest semiconductor chip company in the world, suffered the theft of 1TB of company data. Emails with sensitive information were stolen from News Corp’s journalists.

Nor are these incidents confined to private businesses alone.  In January 2022, an attack on a Red Cross contractor compromised half a million records and the public body’s servers had to be taken offline in response. Strikingly even governments have not been spared. The Costa Rica government had to declare a state of emergency after hacks in April and May – the first time ever that a national emergency had been imposed anywhere due to a cyberattack.

Cybercrime is one of the greatest threats today to societies, governments and businesses alike. It cost the world US$ 6 trillion in 2020 and that cost is projected to grow 15% each year! No wonder spending on cybersecurity is estimated at US$ 1 trillion today – and growing equally rapidly.

Data Privacy is the Fundamental Lens Through Which to View Them

While these cyberattacks have caused billions of dollars in losses for businesses globally and led to laws and regulations around the world to counter them , it must be noted and remembered that the laws themselves have as their primary objective the upholding of consumers’ privacy and the protection of their personal data.

Ordinary citizens’ concerns and fears about the erosion of their privacy and the theft or misuse of their personal information has grown exponentially over the last two decades. The Internet Society and Consumers International , for example, cites that nearly 70% of consumers today worry about how mobile apps collect and use their personal data. Their awareness of the uses (and abuses!) of such data has grown equally rapidly over this time. Consumers earlier may not have known about the extent of this collection or the ways in which it is used. That ignorance is being shed steadily as overall ‘tech-awareness’ grows across societies.

The laws and regulations now have been framed against this backdrop and to allay and address exactly these (rightful) fears and concerns of citizens and consumers. These laws all therefore seek to put power in the hands of consumers and citizens , as opposed to those of corporates or even governments. The most well known of these laws is of course the European Union’s General Data Protection Regulation (GDPR) put in place on  25 May 2018.

The GDPR is perhaps the most stringent data protection law in the world. It stipulates that EU citizens’ data can only be collected by their consent, that companies must state their intent to collect data clearly, upfront and explicitly without placing it in unnoticed places such as deep in their terms and conditions, and that the language must be easily understandable by consumers. Businesses must also let consumers access their own data, take that data for use elsewhere, and request that it be completely erased from the records. GDPR non-compliance penalties are high : the greater of fines up to Euro 20 million or  4% of the company’s annual revenue. In fact , more and more companies and jurisdictions around the world have strict data protection laws today , if not as well known as the GDPR (or perhaps not as stringent yet).

The message is clear : Societies and governments today expect companies to protect the privacy and personal data of their consumers. Going further, the Uber case also underlines the mandatory need for companies and businesses to disclose any security breaches (which after all can happen despite the best protection!) and to alert both customers and the authorities accordingly instead keeping them hidden or covering up.

Consumer data privacy is thus the fundamental lens through which both cybersecurity and regulations must be viewed. Businesses can ‘theoretically’ choose to not invest or underinvest in cybersecurity (but only theoretically – practically , too much, i.e., hard money,  is at stake!) but they do not have a choice in investing on consumer data protection – it is mandatory by law and a matter of compliances that will only grow and be taken more and more seriously over time.

The Implication for Businesses

Recognizing the exponentially growing challenge of cybercrime and investing in cybersecurity is a no-brainer today for companies and businesses irrespective of their size or sector. Companies must both ensure that cybercrime does not impact their operations and financial performance and all regulatory compliances are met.

However , the Uber incident highlights a third dimension : that a company’s data strategy goes beyond both business protection and compliance-meeting safeguards and also enters the complex legal territory of cyber law in terms of handling incidents of data breaches and other cybercrime. In other others , you must not only follow the regulations on the collection and use of customer data and also protect your own business operations and finances from such crimes but also you must know how to handle the situation when such incidents do occur – especially as given the nature of technology , they are likely to occur from time to time. In such cases , full disclosure must be made and all other steps as applicable in accordance with the law must be followed. Remember, the Uber ex CSO was convicted for non-disclosure of the data breach , not the breach itself!

Thus, data strategy and policy in today’s world of business is a multifaceted and multidimensional affair which must take a host of factors across technology , business and Legal into account. And that is where expert consultancies like MBG step in to provide the best solution across all these varied aspects.

MBG’s renowned cybersecurity and GRC services ensure both security and Data protection and Privacy regulatory compliances while providing strong organizational controls over data theft and cyber threats.

So contact us here for more on how to protect your business AND the privacy of your customers !


What can we help you achieve?

Stay one step ahead in a rapidly changing world and build a sustainable future with us.

Get a quote
Open chat
Hello
Can we help you?