Data security in 2018: the year in review
Welcome to a round up of what was undoubtedly a huge year for data security, not just for fresh regulations and massive data breaches, but also new risk factors. As we head into 2019, read on to see where we are at the end of a busy year.
GDPR is here!
Compared to the rush to get compliant by May’s deadline, for many it can feel like it all suddenly went quiet on the GDPR front after that. We’re also yet to really see any repercussions for significant data breaches in the UK since GDPR, with no large fines yet meted out for non-compliance. Nonetheless, some recent research can help us to understand how well organisations have managed their GDPR compliance:
- Only 20% believe themselves to be fully compliant, even though the deadline has passed
- 74% expect to be compliant by the end of 2018 and 93% by the end of 2019
- In the first month, the ICO received 1,300 complaints and 60 self-reported incidents of breaches of customers’ personal data
- 70% of organisations are not yet responding to requests for personal data within the one-month time limit
- 57% of citizens now have a better understanding of how companies use their data
What can we draw from these results? Clearly, organisations are still struggling to reach full compliance, and with heightened awareness amongst the general public of their rights as data subjects, it feels only a matter of time before fines start being issued.
So, expect 2019 to be an even bigger year for GDPR.
US compliance follows GDPR’s lead
Recent regulation in the US shows that legislation worldwide is beginning an overdue catch up to the current information security climate and risk landscape.
For one, NY DFS Cybersecurity Regulation (23 NYCRR 500) controls have now come into force. Designed to reduce the risk of data breaches for financial services firms handling NY financial data, the regulation requires organisations to deploy state-of-the-art methods to secure data as its shared and used.
On the other side of the country, the California Consumer Privacy Act, or AB 375 was passed in June and aims to provide Californian consumers with control over their personal data. When it takes effect, in January 2020, it will be the strictest data privacy law in the United States and is similar to the GDPR in its wide-ranging scope.
These two new regulatory initiatives join existing legislation such as GLBA and HIPAA and show that a more comprehensive and punitive compliance requirements are fast becoming the new normal both in Europe and the United States, with organisations in many industry verticals having to adjust to the new stricter guidelines.
Three of the biggest data breaches in 2018
2018 saw some major data breaches, with more media coverage on information security than ever before. Indeed, the reputational damage caused by these breaches is often worse than any fines received. Some high-profile data breaches from 2018 are discussed below:
Facebook suffered two types of data breach this year. First, there was of course the breach linked to the Cambridge Analytica scandal, which affected 87 million accounts. The incident, where massive amounts of personal data were harvested dishonestly, was a turning point in the general public’s understanding of data security. Then in September, a further 30 million accounts were compromised via a bug in the “View As…” feature. 15 million of these users had their two-factor authentication data stolen, such as an email address, phone number or both. 14 million had, in Facebook’s words, the following stolen: “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook…” the list goes on.
A September data breach at British Airways' affected about 380,000 transactions. While BA pointed out that this “sophisticated, malicious criminal attack” did not include travel or passport details, it did lead to many customers’ personal and financial details being compromised.
Hotel group Marriott International become aware of a breach in September that affected up to 500 million guests, though it was only reported in late November. For most of these guests, the details stolen included names, addresses, phone numbers, email addresses, passport numbers, dates of birth. For some guests, card numbers and expiry dates were also stolen. The hotel chain added that while these details were encrypted using AES-128, they couldn’t be sure if both components required for decrypting this information weren’t also taken.
Accidents and human error dominate
A creeping realisation was that more and more data breaches in 2018 were being caused not by hackers, but by people inside organisations simply making mistakes. Hence, there needs to be a change in approach to data security if we are going to prevent human error-led breaches. 2019 will surely bring more examples of accidental loss; the question is how well businesses and information security vendors are able to solve this problem.
This year’s Verizon Data Breach Report showed that miscellaneous errors were the second most common breach pattern, with over half of these errors attributable to mis-delivery of information.
The ICO also said that most incidents (88%) reported to them were down to human error. Data emailed to the wrong person was top of the list, with information being posted or faxed to the wrong person coming in second.
What can we expect in 2019?
For those who believed organisations would turn the tide on data breaches in 2018 and shore up their compliance processes, they were clearly wide of the mark.
In 2019, with increasing pressure being applied by the ICO in the UK and by other data protection regulators internationally there is unlikely to be as much patience for those organisations providing excuses as to why they aren’t GDPR ready.
So, expect examples to be made where businesses have not taken adequate steps to protect data, and the cost of data breaches to go up.
On a more positive note, organisations are starting to recognise that in many cases the biggest data security risk they face is the ‘insider’ (their staff), so expect greater investment in technology designed to protect and support users as they share sensitive data. Be that end-to-end email encryption, AI-powered insider threat prevention or auditing and compliance tools to provider greater understanding of how information is shared across the business.