Tag: privacy

Categories
Trends in business compliance

Round-up on compliance issues with blockchain technology

One of the hottest topics of 2017 is blockchain. This advancing technology is seemingly the possible solution to every business problem conceivable. Companies across all industries – as diverse as banking to food production and seemingly everywhere in between – are experimenting with how they might be able to use blockchain to make their reporting and related processes more reliable or efficient. Many are even contemplating how they may take advantage of blockchain to market software applications to other companies, hoping to enter the profitable fintech (financial technology), regtech (regulatory technology), or suptech (supervisory technology) markets.

But what is blockchain? Most famously, it is the core technological component of the well-known cryptocurrencies, such as Bitcoin or Ethereum. Simply put, blockchain is an open list of records (which comprise the “blocks”) which are securely linked together with cryptography. As the blocks are all linked together and independently identified with references to their linked blocks, the data contained therein is extra safe from individual manipulation or alteration. This is a decentralized computing system which is incredibly useful for recordkeeping and records management activities, especially those where security is especially important such as identity management and medical records.

Due to the broad desirability of a secure and adaptable record maintenance technology, blockchain, which was initially developed only less than a decade ago, has been a disruptive influence in many industries already. Across all business areas, companies are looking to blockchain for possible benefits, all relevant to compliance, to their reporting processes.

  • Transparency for pension fund reporting is one major potential use of blockchain. Following the Madoff scandal and other highly-publicized frauds in the investment management industry, there has been more pressure than ever in expectations for investor protection and reporting disclosures. Many pension funds have balked at public and supervisory demands for increased transparency due to the cost concerns for implementing additional reporting mechanisms in balance with very low profit margins. This reaction does not help to enhance trust between investor clients and this fraud-vulnerable industry. Therefore the decentralized, secure nature of blockchain offers appealing opportunities for filling this confidence vacuum. Blockchain-based platforms can get investors access to their own pension information without fears of data manipulation or increased cost burden on firms: How Blockchain is revolutionizing fraud prone industries
  • On a related note, banks and other financial institutions have borne much of the competitive pressure blockchain has created with the advent of cryptocurrencies – but they also stand to benefit from this, if they can make the best of it. Cryptocurrencies such as Bitcoin are a compelling alternative to the centralized, traditional banking system for customers who desire extra security or anonymity. While cryptocurrencies have been traditionally depicted as a safe haven for illegitimate or even illegal payment activities, the mainstream attention on them has created a broader appeal and audience for them. As a response to the interest their customers have shown in cryptocurrencies, banks have started to delve into the potential for the blockchain technology. Some has invested in tech start-up companies concentrating on various blockchain applications while others have delved more deeply into relationships with fintech partners. At this point banks’ proprietary efforts have mostly been restricted to in-house research on potential use of blockchain, but inevitably competitive momentum will start to drive larger institutions toward developing their own projects in this space. These developments are likely to encourage efficiency, inspire leaner and more innovative business models, and serve the regtech and suptech goals of increasing cooperation with regulatory authorities. Ultimately this could help to modernize and improve the persistently staid and legacy-driven banking industry into a bolder and more transparent business model:  How banks and financial institutions are implementing blockchain technology
  • The advertising industry is newly subject to regulatory scrutiny with the upcoming EU privacy directive, the General Data Protection Regulation (GDPR). This law will apply to any organization doing business in, using technology in, or targeting the citizens of, any EU country, so it has a broad global reach. The GDPR will impose new requirements for handling and controlling private data, including protective and disclosure obligations. Therefore blockchain-based solutions, which can be both secure against manipulation or leakage, and distributed with open access so that users making disclosure requests can see the information directly for themselves. This will help to reduce the burden of this reporting as well as improve cost margins rather than coming up with expensive and vulnerable in-house solutions or outsourcing the reporting to third-parties with their own attendant risks: How Blockchains Can Help the Ad Industry Comply With the GDPR
  • Commercial aviation is another industry looking to blockchain systems to help with its risks – this time in cybersecurity management. Airlines and support companies rely a lot on IT systems to do everything from fly and direct aircraft to book and manage passenger travel. These systems are highly imperfect, as system outages and computer crashes that lead to flight cancellations and stranded passengers show in the news each year. They are also vulnerable to cybersecurity risks where intruders could breach personal data, disrupt airline operations, or corrupt and steal client and aircraft information. Storing and protecting this data within vulnerable or old/legacy systems poses many cybersecurity challenges. The concept of tamper-proof blockchain technology is therefore compelling to the aviation industry for these obvious reasons. Blockchain could help to keep operational data safe and protect companies from cyberattacks. More importantly, pressure to adopt it could drive aviation companies to make the difficult yet very important technological updates and improvements to their systems which will serve safety and regulatory concerns alike: How Blockchain, Cloud Can Reinforce Cybersecurity in Commercial Aviation
  • The pharmaceutical industry has long been vexed by inaccurate and unreliable supply chain tracking. It is especially vulnerable to stolen and counterfeit medication entering the supply chain untracked and finding its way to patients, putting their safety at risk. Tracking medicine with blockchain could change all this. A consortium of pharmaceutical companies, including major firms Genentech and Pfizer, are already collaborating together on a tool called the MediLedger Project, which seeks to manage the pharmaceutical supply chain and track medicines within it to ensure that drug deliveries are recorded accurately and transparently. This would take the current complicated and inefficient network of software management in the supply chain to the next level, securing the supply chain with an integrated and decentralized blockchain system. It could also enable sharing of essential information from companies to partners and customers without exposing sensitive business information, a challenge in the industry so far: Big Pharma Turns to Blockchain to Track Meds

There are many potential advantages from a compliance perspective to blockchain, which has the potential to enhance transparency, protect privacy, address various process-driven risks, and strengthen cybersecurity controls, among other benefits. As the technology advances time will tell how broad the applications of blockchain may be across these diverse industries with similar needs for compliance risk management.

Categories
Compliance in current and historical events

Compliance lessons to learn from the 2017 Equifax cybersecurity breach

Equifax is one of the major US-based consumer credit reporting agencies. It operates globally and due to their nature of its business, maintains sensitive and personal information on more than 800 million individuals and more than 80 million organizations.

In September 2017, Equifax announced that it had experienced a cybersecurity intrusion in July 2017 which impacted the data of up to 200 million consumers from the US, Canada, and the UK. The handling of this breach by Equifax was widely criticized and questioned. Among the controversial aspects of it were the two month delay in publicizing it, the lack of specific information about the data compromised, the inadequate and possibly even unsafe system and support provided for impacted consumers, and the perception of possible insider trading by company executives in the days after the breach took place but before it was public.

As the problematic response to this cybersecurity incident unfolded, Equifax’s various blunders and missteps in the public handling of the situation formed a guide for worst practices in such a scenario. As the dialog around Equifax’s response has shown, poor crisis management in the public eye only compounds the consumer protection problems.

  • Companies do often have legitimate reasons for delaying notifying consumers, regulators, and the public at large about data breaches. Sometimes companies do not even know they have been breached right away. Even once they are aware, sometimes law enforcement will request that they do not disclose the breach. Different types of data may be subject to different disclosure requirements, so companies also sometimes have to take time to determine what data was involved. However, these delays still can be very problematic for consumers, who can be unknowingly at risk and make assumptions about the seriousness with which their data is stored and maintained which might be very far from reality.  Why it can take so long for companies to reveal their data breaches 
  • While Equifax was taking its time notifying consumers and regulators of the data breach, questions abound about when – and what – people on the inside knew about it. This is because only a few days after the July 29 cybersecurity intrusion, on August 1 and August 2, several executives at Equifax sold shares. These transactions were not part of scheduled trading plans, but they were not total liquidations of their positions, and the company says that the executives were unaware of the breach at the time of the trades. However, the perception of possible insider trading is hard to avoid once the timing of this activity is revealed. If they truly did not know about the cybersecurity problem, it would have been wise at least to inform key senior management of the breach and advise them to avoid trading in the stock while in possession of inside information.  Three Equifax Managers Sold Stock Before Cyber Hack Revealed
  • Despite how secret most people in the US see their financial data as being – especially social security numbers and bank account or credit card information – current privacy laws are lacking in many key areas when compared to those in other parts of the world such as the EU. Top of mind among privacy concerns, including the need for consumers to input personal data to check whether their other personal data has been compromised, is that over a month went by before Equifax notified the public of the cybersecurity incident at all. In the 40 days that went past, the data could have been used for many illicit purposes without consumers even being aware they were at risk. Laws in the US currently differ between states with regards to breach notification requirements. There is no unifying directive in the US for the standard where personal data is concerned, such as there will be next year in the US under the General Data Protection Regulation, which requires notification within a maximum of 72 hours. Perhaps a higher standard in the US such as this one would reinforce seriousness of these events to organizations and improve consumer protection and communication processes when they occur.  Equifax breach disclosure would have failed Europe’s tough new rules
  • While these data breaches are unfortunately becoming so common that the public is often less alarmed by them now than in the past, irresponsible or insufficient responses by organizations to these breach still provoke justifiable outrage and calls for change. Consumers being desensitized to the exposure of their personal data just shows how widespread the problem is and how insufficiently the interests of the consumers are guarded. However exhausted the public may seem to be with the ongoing leaks and hacks of their private data, this is no excuse for organizations affected by them to respond with the same passive, indifferent attitude. Equifax’s lack of detail and inadequate communication displayed to the public that they did not care about the invasion consumers were suffering, which is quite a different message than one of fatigue by victims who have had this experience too many times to excuse. The reputational risk suffered by such corporate carelessness is extreme, and hopefully will drive consumers to advocate for a higher standard of responsibility and responsiveness from keepers of consumer data.  The Banality of the Equifax Breach
  • As the public contends with the reality of the Equifax data breach – that subsequent hacking attempts stemming from this breach are inevitable and that companies like Equifax do not meet the standard of care for protecting this private information in their possession – what can anyone do in the future? Holding companies accountable for their poor service by taking their business elsewhere is often the only choice consumers have to voice their displeasure. In the current system individuals aren’t really able to avoid the consumer credit reporting agencies, but organizations could opt to create and use independent systems with more secure infrastructures. These corporate users could drive a technological shift that would also benefit individual consumers. Blockchain and related technologies could provide the solutions to these vexing and chronic security concerns that the existing system seems unable to address.  It’s time to build our own Equifax with blackjack and crypto

Given the ever-increasing risks surrounding cybersecurity, compliance professionals and individuals interested in cybersecurity risk management can take many cues from the above on what not to do in such a situation from Equifax. Hopefully as organizations continue to live with the risk of such intrusions, and improve their control frameworks to prevent and mitigate them, they also pay attention to the public responses in such situation, to make sure that the statements made and guidance provided are adequate and accurate.

Categories
Best Practices

Creating employee awareness for cybersecurity risk management

Cybersecurity is one of the major risk areas for businesses of all sizes and a frequent examination and enforcement priority for regulators. The challenges posed by cybersecurity are diverse and serious – data privacy, breaches of sensitive customer or employee information, business continuity, reputational risk due to information leaks or data loss, physical and financial damage to IT network or infrastructure, and more.

Addressing these threats posed by possible cyberattacks or security weaknesses is very important for organizations, but all protective measures rely upon engagement of employees in accomplishing this objective. Obtaining this engagement requires effective communication to employees to raise their awareness and encourage their understanding of the daily objective at hand.

  • Make relevant policies accessible, relatable, and easy to understand: In order for employees to understand their responsibilities in a cybersecurity program, the governing policies and procedures must be simple and straightforward. The policies should be easy to locate on the organization’s intranet or in the policies manual or employee handbook. They should be written in plain English and provide the essential information and guidance necessary for employees to understand what they must do to protect the company and themselves. Individual objectives and obligations should be highlighted and reinforced by line managers.
  • Connect cybersecurity program to stakeholder commitments: For all employees who are not IT professionals, the risks inherent to and controls necessary for cybersecurity may seem abstract. However, there are fundamental organizational values which can be concretely attached to the objectives of a cybersecurity program. Taking the privacy of customer and/or employee data seriously is not an esoteric concept; this is important to every employee on a personal level. Being trustworthy and transparent about this goal, likewise, is something everyone can support for the good of the organization. Establish a connection between the goals of the cybersecurity program and the company’s stakeholders such as customers, business partners, and regulators/supervisors. Emphasizing these duties will enable employees to see how important cybersecurity controls are to those relationships.
  • Set expectations for personal responsibility: As with all compliance risk topics, the tone at the top is critical to establishing the mood in the middle and the buzz at the bottom. Employees will not become prioritize a topic unless leadership clearly and sensibly advocates for its importance. Senior management should express that each person working in an organization has individual accountability for protecting the company from cybersecurity risks and attacks. An employee’s responsibilities may seem minor or not worth publicizing, but these practical measures are often the most fundamental in keeping the organization’s IT systems secure.
  • Emphasize conduct and basic good practices: Every compliance program begins at the beginning. The building blocks of security protections must be strong starting at the most fundamental measures. Advanced protocols and encryption methods are not the message to take to the general employee population. Rather, focus on their own individual conduct and best daily practices, such as caution with data handling to avoid human error like inadvertent e-mails or lost devices and files. It is imperative that the workforce understands and takes responsibility for managing these simple, widespread risks from their own behavior.
  • Publicize successes and take action on failures: The organizational message of open seriousness about cybersecurity risks should be consistent. When there are successes – such as proactive identification and remediation of a security weakness without a data breach, or improvement in employee conduct around reporting phishing emails – publicize them and discuss them. Positive reinforcement is key. However, when there are failures – such as the detection of an unauthorized intrusion or a string of employees losing laptops and flash drives – then these too should be communicated broadly and acted upon promptly. In this case it is not negative reinforcement but rather directed analysis to improve in the areas which current evidence shows need the most work.

With all the broad landscape of cybersecurity risks in view, and the methods and objectives of cyberattackers evolving continually, control frameworks for cybersecurity will remain an ongoing project in compliance programs.   Creating and maintaining basic employee awareness of and sensitivity to these risks is crucial to ensure that all other controls can be as effective as possible

Categories
Trends in business compliance

Round-up on the ethics of the Internet of Things

The Internet of Things refers to physical devices which are inter-networked and can share and store data between themselves. This includes things such as televisions, cars, buildings, and other objects that have network-connected technology inside that allow these objects to be accessed and controlled remotely via computer-based networks. This also includes systems that operate in this way, such as smart homes, grids, and cities. These things can be identified and operated individually but also are part of the interconnected system and can have co-dependencies.

There are obvious ethical issues with a highly connected and complex system such as the Internet of Things, where tremendous amounts of data are stored and shared and ultimately used in often mysterious or unclear ways – certainly to improve the intelligence of the Internet of Things and make it operate more efficiently, but also potentially for malicious or dishonest purposes.   Security vulnerabilities in a system which is remotely accessible are also an alarming risk, as unauthorized intrusions or destructive attacks could render everyday items such as cars or door locks inoperable or turn items such as smart houses or transportation networks against their users.

  • The technology that drives the Internet of Things has grown explosively, and legal and compliance frameworks have not been able to keep pace. Questions of liability that arise from cyberattacks on the Internet of Things and rules of responsibility governing companies working within this space are largely undefined. The Internet of Things may bring change to society similar to that of the Industrial Revolution. A thoughtful view on regulations and ethical guidance to protect privacy and security from the earliest design point in the industry is crucial: The Internet of Things Needs a Code of Ethics
  • Among all the fears of artificial intelligence and sentient, unfriendly robots with autonomous weapons, the real risk of the Internet of Things will still lie in the hands of humans. Hackers are a big threat to the system’s security and this risk must be taken seriously, with organizations investing in controls to prevent and mitigate attacks, intrusions, and disruptions that could damage devices, harm people, and interrupt business operations: Why Hackers Will Become a Significant Threat to the Internet of Things
  • The data produced in the Internet of Things is a major security and privacy consideration. Users of these interconnected devices may not realize how much information the devices have about them and their activities. The Roomba, a small robot home vacuum, was an early-comer to this market. The company that makes it, iRobot, has said it hopes to make money from selling maps of users’ living rooms to other companies. Using customer data for profit from a third-party is nothing new in the internet company world, but there are many questions of privacy, notice, and consent which remain to be answered: The Internet of Things is a data farm, Roomba won’t be its only profiteer
  • Cybersecurity fears about the Internet of Things extend to the U.S. government as well, where legislators have proposed to make sure that smart devices can receive security updates like traditional computers. Lawmakers also seek to prevent manufacturers from hard-coding passwords into their system tools that can be manipulated by hackers to take control of the related devices. The U.S. government is just as interested in the objects of the Internet of Things as consumers are, and safeguarding against present and future risks from them is top of mind: Two U.S. lawmakers think the government has a new cybersecurity problem: The Internet of Things
  • So what does all this mean for the future of the Internet of Things? Will the risks of it slow its growth or it will it continue to advance in both complexity and connectivity, its risks unchecked or outpacing the frameworks created to control against them? It appears likely that the value and appeal of connection, and the fear of not being able to function and communicate, will outweigh the desire to want to withdraw from it for safety and privacy purposes: The Internet of Things Connectivity Binge: What Are the Implications?

The intelligence and complexity of the Internet of Things will continue to grow as consumer applications become more in demand and commonplace. The need for strong security standards and clear customer protections will expand in kind. Privacy, safety, and control are all ethical concerns which compliance programs at the companies working on the Internet of Things will have to consider prominently in future risk assessments and strategic plans.