Cyber security and privacy in emerging technologies – if data is the new oil, how do you stop the leaks?
December 2016 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
Sixty years ago, whirring away in a facility in Santa Monica, a program known as ‘The Logic Theorist’ quietly and elegantly developed an undiscovered proof to a known mathematical theorem. This first ‘thinking machine’ was the original demonstration that a program could solve tasks and generate improved understanding in areas previously confined to ‘mere’ human intelligence.
Fast forward to present day and intelligent software and digital AI technologies capable of simulating human reasoning and learning are being highlighted around the world. Deepmind’s ‘AlphaGo’ has made headlines for achieving the impossible: the first computer program to have beaten a professional ‘Go’ player. Connected autonomous vehicles, with the ability to learn, respond and adapt independently to the environment and to the unexpected, seem poised to shift the way we think about human movement.
These are grand examples, but just as striking are the assemblage of digital technologies that are already inspiring competition in consumer markets, such as ‘digital assistant’ technologies (Apple’s Siri or Microsoft’s Cortana), wearable computing, sensor technology and drones. Many businesses, too, are taking advantage of the flexibility, learning capabilities and connectivity of new cloud technologies to improve and digitise their services to engage a wider audience.
Data is the new oil
So what links these innovations? It comes down to data.
Emerging technologies are capable of harnessing enormous amounts of data in real time and seamlessly communicating that data around a complex network of other connected technologies. Of course, such data is immensely valuable for commercial and research entities. Sophisticated data monitoring and analytics can provide organisations with a competitive advantage, better decision-making and improved knowledge about service users: where they go, what they buy, and what their habits and preferences are.
Such practises are hardly new, but with emerging technologies it is the volume of data and the scale of connectivity that sets them apart from traditional technologies.
However, with unprecedented data flows comes new and unmatched security risks, both to the integrity of organisations’ systems and to the privacy of individuals. The key question becomes: how do we capture the opportunities of a fast moving data-driven economy while keeping that data secure? Cyber security and privacy principles go hand-in-hand in providing the answer, and ensuring businesses stay on the right side of regulators and consumers.
Cyber security: responding to a new threat landscape
In an era of connected technologies, the quality and safety of digital services is key. Cyber security practices are evolving, but is it happening fast enough?
The security threat landscape is changing rapidly: the advent of smart connected technologies means any small, connected element might become a potential point of vulnerability to the whole system. The recent attack on Domain Name System provider Dyn is a good illustration, as a sustained cyber attack was launched through various fringe (but connected) parts of the system, including CCTV cameras, printers – even baby monitors.
To meet the cyber security challenge, organisations must look at the full system architecture – from workstations, communication links and storage infrastructure and going even further – to vehicles, wearables, medical devices – anything with the potential to connect. Yet achieving this is difficult where complex systems reside within complex networks of systems, often designed and operated by different companies. What steps will make a difference?
Harnessing emerging technologies could provide a solution. For example, current machine learning technology can use advanced analytical techniques to pick out and monitor intrusions and analyse systems for weaknesses in real time to increase threat intelligence.
There is, however, no substitute for the basics. Most security breaches arise out of simple human error, and regular and effective staff training supported by appropriate and detailed policies can ensure cyber security becomes a shared culture among employees. Bringing in external advice where there are gaps in a team’s expertise will help, and integrating cyber security into digital business models from the outset will increase trust, efficiencies and confidence across an organisation.
A final tip is to make cyber security a boardroom issue. Tougher legal regimes mean that regulatory penalties can reach headline-grabbing levels, with maximum sanctions shortly to rise to 4 percent of global turnover or €20m (£17m) under EU law from May 2018. But regulatory fines can pale in comparison to the commercial consequences of a major breach. TalkTalk’s £400,000 fine this October looks meagre next to the £60m in lost revenue the company suffered from the loss of confidence and drop in its customer base. Well-implemented cyber security practices have the dual benefit of avoiding losses while adding value and increasing user trust.
Data privacy: protecting the individual within the data
Hand-in-hand with data security is the protection of privacy of individuals.
Mass data flows and connectivity of everyday devices asks difficult questions about how we can best protect individuals’ fundamental right of privacy. Smart devices record habits, lifestyles and health patterns, providing useful information to companies to improve products and services. But who else is tracking? And what assumptions and biases are being made?
Emerging, data-heavy technologies therefore carry a unique set of privacy challenges. Communication between smart devices can often be triggered automatically and the digital boundaries of that communication may be poorly defined. Add to this that there may be many different stakeholders carrying out separate activities within the data processing lifecycle – from device manufacturers to data-aggregators and application developers, who may seek to repurpose that data for entirely different uses. Intrusive practises can mean that what might have once been anonymised or insignificant user data may be used to make more consequential inferences.
Lack of user control is therefore a huge issue and pervasive across technological developments. But for businesses, the need to obtain specific, informed consent from individuals for each kind of processing of their data is likely to present challenges where traditional consent mechanisms are not up to the task.
The solution, in many cases, is to embed privacy defaults at all stages, within the design of devices and applications and as close as possible to the point of data collection. Businesses will need to design and implement privacy-friendly policies around the use of data, and where possible develop new methods of giving information to users, allowing for greater transparency and individual control.
Compliance will be key. Under EU and UK law controllers of data are required to implement technical and organisational measures to protect against unlawful or unauthorised processing of personal data. Where organisations fall short, affected individuals have a strong set of rights to demand resolution and, in some situations, to receive compensation. These rights are in line to be bolstered by legal changes in 2018.
So where are we now?
Despite Brexit, the impact of EU laws on the UK’s privacy and cyber security landscape will be significant. The UK’s longstanding Data Protection Act seems certain to be recast to fit in with the EU’s new data protection framework and to facilitate data flows into the EU.
And assuming that legal and regulatory compliance can be achieved, key questions remain. How can technology providers maintain public trust in a new data-driven environment? Studies indicate that, for the majority of consumers, trust once lost is hard to regain. Some have proposed introducing a ‘trust label’ to be applied to Internet of Things technologies, where their cyber protection is as good as current knowledge allows.
The first ‘thinking machine’ began an innovative movement towards new, connected technologies, but we are still struggling with the challenge of balancing security, privacy and opportunity. However good a new technology is, and however much it can make the user’s life quicker, easier and more efficient, it will be at risk unless cyber security and data privacy can be maintained.
Edward Hadcock is an associate at Mills & Reeve LLP. Mr Hadcock can be contacted on +44 (0)1223 222 205 or by email: edward.hadcock@mills-reeve.com.
© Financier Worldwide
BY
Edward Hadcock
Mills & Reeve LLP