Security-Privacy: How do we get the right risk reward balance

Suresh Kumar, Partner & CIO, Grant Thorton

New regulations and legislations are coming into effect across the globe impacting businesses. One of the major regulations related to Data privacy and security is the European Union’s General Data Protection Regulation (GDPR), which came into effect from May 25, 2018. A recent update about GDPR is UK’s Information Commissioner’s Office has imposed substantial fines on two large organizations for data breaches. Firstly, a fine of US $230 million on British Airways for a security incident that led to theft of customer data in September, 2018. Another fine of US $ 124 million has been imposed on Marriott International for a data breach at Starwood which it acquired in 2016. Both the penalties are very high and severely impacted these organizations.

In the US, the Healthcare sector has HIPAA since 1996 that has penalties for data breach of patients’ records. Another regulation is COPPA, or Children’s Online Privacy Protection Act that regulates collecting data directly from children under 13 years of age. Under COPPA, even seemingly straightforward online data collection and storage practices such as logging an IP address or storing an email address are subject to strict requirements, such as providing notice and obtaining advanced parental consent prior to collection or storage.

Russia has enacted a new law called RuNet law that will significantly impact Internet and Telecom providers and affect social media platforms. This law will come into effect from 1 Nov 2019 and establishes a centralised Russian Internet data traffic routing system. Which would mean businesses will need to install additional network equipment that will route data to central monitoring agency.

In India, right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy through“THE PERSONAL DATA PROTECTION BILL, 2018”. This regulation is very similar to GDPR and places great responsibility on businesses. Similar to GDPR, there are provisions of hefty penalties up to 2% of worldwide revenue of INR 5 Crores, whichever is higher.

Changing relationship between compliance and security

Adherence to industry compliance regulations is increasing year-on-year. Regulations such as the PCI DSS, HIPPA for retailers/travel industry and healthcare organisations respectively require IT administrators to implement controls necessary to support their compliance framework. 

On a broader perspective, compliance is not security. We might have managed to implement the controls outlined in HIPAA/PCI DSS which highlights the technical safeguards necessary to protect patient data; however, that does not mean that your network/infrastructure/assets are safe. The guidelines provided in the respective industry compliance should serve as a template for the organisation’s security program, enabling organisation to build out a robust security strategy from the very foundation.  

Balancing security and running the business

Aligning the information security policy with the mission, vision and objectives of organization is the key to achieve the right balance between protecting the organization and running the business. Management and the board should be kept updated on the new regulations, changes in the threat landscape along with a robust Risk Management policy. Identification of therisks and updating the risk register and the steps to mitigate them, there is a need to change the thinking of Risk from a worst-case scenario to a ‘Structured what-if-technique’ (SWifT).

Due diligence is the need of the hour for third party vendors, suppliers, contractors etc. on a information security perspective. Vendors should be aligned to the IS standards of organization. Organisations should also benchmark their cybersecurity alignment with industry best practices such as NIST/CIS etc.

Security needs to be a priority in day-to-day activities and build the business practices. Security cannotbe treated as a one-time exercise. Keeping this in view, we should invest in building our security and compliance programs in achieving the best security framework for the organization and clients.