Data protection doesn't have to be a four-letter word
With concerns over data privacy growing apace, how do you prove to a user that their sensitive personal data has been erased, asks Pat Clawson.
Pat Clawson, CEO, Blancco Technology Group
To say there's a lot of information in the digital universe is an understatement of epic proportions. Just think about how many networks, servers, hard drives, virtual machines, computers, laptops, smartphones, tablets, flash media drives and cloud drives exist today. To put this into context, back in 2012, IBM reported that 2.5 billion gigabytes of data were generated every day.
With all of this data comes great benefits, including increased connectivity, rich data, efficient processes and improved quality of life. Doesn't that sound amazing? Yes, it does. But we can't let our excitement about these benefits blind us to the fact that all of that could just as easily become a liability.
Let me explain why. You have personal usernames and passwords, financial/bank account information, credit cards and debit cards linked directly to mobile devices, health records, social security numbers and so much more sitting in all of these environments.
So every time a retailer, a healthcare provider, a financial institution or other type of business doesn't erase data permanently, they're putting themselves and their millions of customers at risk of data breaches, cyber attacks and identity theft. Remember the infamous scandal in 2014 when the iCloud accounts of dozens of celebrities were hacked? For actresses like Jennifer Lawrence and Kate Upton, it was tough to escape the embarrassment and frustration of leaking nude photos.
But for the world at large, one where mobile devices are often upgraded, traded in, recycled and resold, it just makes it that much easier for a hacker to walk into your digital space unnoticed and steal data. Now consider this: an individual's smartphone is likely to contain personal usernames, passwords and even bank account details. Meanwhile a corporate device is likely to store the user's credentials for accessing the corporate network, leading to the prospect of leaked intellectual property or financial records.
When you consider that IDC reported that 334.4 million smartphones were shipped worldwide in the first quarter of 2015, it leaves the door wide open for potential security breaches to occur. Failure to protect customer data doesn't just result in legal fines and sanctions, it can also destroy brand reputations, customer trust and loyalty, which can curb long-term revenue growth significantly.
Europe miles ahead of US in data privacy
In Europe, we're gearing up to see the introduction of the EU General Data Protection Regulation across all 28 member states. The directive introduces huge fines for companies that fail to protect the data they collect from consumers and strengthens users' “right to be forgotten” when they close their digital accounts.
Now remember the many ways people come and go across the digital universe every day. What happens when someone wants to shut down his account on Facebook? Is all of the data Facebook collected for that person erased and removed forever? Shouldn't that user have the right to ask Facebook to prove 100 percent that all of the user's data is gone forever? The “right to be forgotten” isn't just a right that's applicable to Europeans – Americans should have the same right.
If I'm being honest, Europe is miles ahead of the US in its attempts to protect data. But even within Europe, the true test will be just how successfully the new EU GDPR legislation is applied. Do businesses know the steps they need to take to ensure a user's data is wiped securely, safely and irreversibly? And will consumers enforce their right to ask for proof that all of their data has been successfully destroyed?
One thing that I'd love to see is that these European attitudes towards consumer protection will be exported overseas to the US and beyond. After all, virtually all of the major technology players that we interact with on a daily basis – Google, Facebook, Samsung and Huawei, to name just four of the big players – are headquartered overseas. Data doesn't respect national borders and isn't always stored in the country in which the user resides. We now live in a global marketplace and only when we have global protection will we be truly secure.
Deleting and destroying data are very different things
If there's one thing I could tell businesses and consumers, it would be this: There's a big difference between deleting data (which can usually be recovered) and destroying it. In fact, right now just 20 percent of major organizations are wiping their devices properly.
We in the security industry have a duty to work closely with the private sector and governments to educate the market and actively change the situation for the better. It's going to take a lot of introspection, honesty about the true flaws and gaps in our systems and ultimately a willingness to drive real change beyond having discussions from afar.Contributed by Pat Clawson, CEO, Blancco Technology Group.