3 minute read
Linking data privacy to security
MARISE ALPHONSO
LINKING DATA PRIVACY TO SECURITY
by Marise Alphonso, Information Security Lead at Infoxchange
Privacy is a fundamental human right1, and security is essential to the maintenance of that right. Those who work in the fields of data privacy and information security have a duty of care to protect personal information, build trust and ensure transparency “with consumers” of organisational products and services. By fulfilling this duty, they will facilitate innovation and societal growth, and operate within the guardrails provided by legal and regulatory frameworks2 .
In early May, Privacy Awareness Week3 was celebrated in Australia with the theme of ‘Make privacy a priority’. The Office of the Australian Information Commissioner (OAIC)4 facilitated several events to shine a spotlight on how we can improve personal information privacy practices within our homes and workplaces5 6 .
When personal information is provided to an organisation by a member of the public to obtain a product or service, the expectation is that it will be used for that and nothing more. Prior to offering a product or service, an organisation must perform a privacy impact assessment7 to identify the risk of that personal information being compromised, and thereafter determine safeguards that should be implemented to address potential privacy impacts. A key step of this assessment is consideration of how personal information flows through the information lifecycle of collection, storage, use, retention and disposal.
The Privacy Act (1988)8, which applies to Australian government agencies and organisations (entities) with turnover greater than $3 million, consists of 13 Australian Privacy Principles (APPs). APP No 11, security of personal information, refers to “reasonable steps to protect personal information an entity holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.” “Reasonable steps”9 here refers to elements of an information security program including governance, policies and procedures, staff training and awareness, technical security measures, physical security, third party assurance practices and incident response.
Information security practices play a pivotal role in protecting personal information entrusted to an organisation. Examples where the privacy of individuals has been compromised due to gaps in organisational security practices include:
• Vastaamo, a company that owns a number of psychotherapy clinics in
Finland, experienced a data breach that exfiltrated personal information and notes from patient therapy sessions. The company disclosed that this incident occurred in 2018, but it was only in September 202010 that the attackers contacted Vastaamo with ransom demands.
The company did not pay. Since then, a stolen database of Vastaamo patient data has been found published on the dark web, and attackers have contacted Vastaamo patients directly, threatening to publish their highly sensitive information unless they make a payment. The impact on those who used services provided by
Vastaamo has been highly disturbing, ranging from discomfort about extremely personal details being publicised11 to concerns about identity theft.12 It is not clear how the Vastaamo data was exfiltrated, but indications point to the patient record system being accessible online via simple credentials.
• Equifax, the American credit bureau, experienced a massive data breach in September 201713 that resulted in the personal information— mostly names, addresses, birth dates, Social
Security Numbers—of roughly 150 million
“In early May, Privacy Awareness Week3 was celebrated in Australia with the theme of ‘Make privacy a priority’. The Office of the Australian Information Commissioner (OAIC)4 facilitated several events to shine a spotlight on how we can improve personal information privacy practices within our homes and workplaces” people being compromised. The incident was the result of security failures on a number of fronts14: an unpatched vulnerability on a website framework—Apache struts—used by the company, lack of network segmentation, lax cryptography practices and delayed notification of the breach to affected parties. In early 2020, the US government charged those responsible for this data breach, calling it the largest ever theft of personal information by state-sponsored attackers15 . Security practices are key to managing information security risks, protecting organisational data, and maintaining confidentiality, integrity and availability. However, these practices are of paramount importance when required to protect individuals’ right to privacy.
www.linkedin.com/in/marise-alphonso/
