Hacks and data breaches: recognise critical lessons
In the Netherlands, we have already found that our electoral system is far from risk-free and also now appears that the national tax organisation ‘Belastingdienst’ and the Dutch Land Registry’s, named Kadaster are also hacked.
Russia, China and Iran have made hundreds of attempts to hack into Dutch government departments and into Dutch companies over the past six months, according to the head of the AIVD security service. The main problem seems to be that unauthorised people can gain access to information, change it or share it with others. This includes databases with confidential information such as health records, records of property ownership and mortgage collateral. These vulnerabilities could hold major risks.
Recognise critical lessons in hacks and data breaches
While these hacks and data leaks have shaken up the digital security world over the past month, it is important to recognise the critical lessons that we can learn from this. This certainly will not be the last security threat to security and privacy of data. In fact, as more data becomes available and solutions get pushed into the cloud, one can only expect the frequency of these issues to increase.
With the aim to increase the level of data security in Europe, Directive 2002/58/EC (ePrivacy Regulation) introduced in its latest amendment an obligation for the notification of personal data breaches by the providers of publicly available electronic communication services to competent authorities and affected individuals.
The General Data Protection Regulation (GDPR), which will soon come into force, extends this obligation to all data controllers and processors in all sectors. In particular, according to GDPR security equally covers confidentiality, integrity and availability and should be considered following a risk-based approach: the higher the risk, the more rigorous the measures that the controller or the processor needs to take (in order to manage the risk).
Security and Privacy by Design
Adopting ‘privacy by design’ and ‘security by design’(incorporating appropriate safeguards when transmitting and storing sensitive data) can be the solution for all the data breaches and hacks. Security and Privacy by Design is an approach to systems engineering which takes both security as privacy into account throughout the whole development process. It is an approach to projects that promotes privacy and data protection compliance from the start. Unfortunately, these issues are often bolted on as an after-thought or ignored altogether.
Appropriate high level of encryption and multi-factor authentication (2FA) should protect the sensitive data till the very end when it finally gets deleted. While this is recommended for all new development projects across all industries, many data protection authorities consider security and privacy by design next to encryption and strong authentication a “must” for new technologies and will – if a complaint were made – question why both security as privacy was not taken into account during the initial design phase.