Uber, the world-renowned cab aggregator, started facing problems regarding data security as early as 2011 with its “God View”.
Now what actually was this God View?
Well, whenever Uber launched its Black Car and ride sharing services in major cities, it organized parties for that. At these parties, Uber executives showed what was a normal mobile application where Uber could see all the riders and drivers in a city on a screen as silhouettes.
Apparently, there were two versions of the “God View”. The anonymized version, which did not disclose the identity of the rider and the driver and the “Creepy Stalker version”, showing whereabouts and movements of specific Uber users in real time.
One attendee of a particular party could identify one of the riders, entrepreneur Peter Sims and messaged him telling him that she knows his whereabouts.
Peter was massively miffed and wrote a post which snowballed into regulatory investigations.
Uber’s problems didn’t end there.
There were two breaches of rider and driver data.
In May 2014, an intruder gained access to personal information about Uber drivers. 600,000 names and driver’s license numbers, 22 million names and phone numbers, and more than 25 million names and email addresses were accessed.
In October-November 2016, Uber failed to disclose the 2016 breach to consumers or regulators although it took place while the company was under investigation for the first breach as also the “God View” cases.
Uber ended up paying almost $148 Million as penalty for these data breaches. Its problems are still not over with its CTO being charged with obstruction of justice and misprision of felony in connection with the 2016 case.
Lessons To Learn From Uber’s God View Fiasco
If Data is God, then data security is religion.
Anything that compromises on user/consumer data is sacrilege.
With online transactions and usage happening almost in every field of life, not just limited to direct or personal, we knowingly or unknowingly give away plenty of personal data to companies.
From details about our educational performance through results announced online, to our information in databases of our school and college, professional memberships, personal information is shared at several places.
Most of the times, you can proceed ahead without sharing it. What happens to all this data is a nightmare most of us would only like to think and not experience.
World over, nations have formulated laws and policies to manage the safety of this humongous data. In spite of that, data privacy and security remains a major concern for companies and individuals alike. As we surf the net and come across sites, as we uses apps and services, we are required to fill in registration forms that capture a lot of our personal details such as:
- Email address
- Mobile no.
- Usernames and passwords
Now come to think of it, this is quite a lot of information that we’re handing over to companies who use it intelligently for their own benefit.
As a common user, one must be aware of what these assets are in the hands of such companies, what happens with this data, how companies take measures to keep this data secure and what they do with it (read: sell).
Having a deep look at some key terms used in Data privacy and security would certainly help many of us being aware and secure at the same time.
Importance Of Data Privacy
When a customer or user is asked to submit his/her personal data, the company collecting it has the obligation to keep it secure.
There is a legal and moral obligation to do so and in case of breach, there’s reputational damage to the company and could result in harm or damage to the client whose personal information is thus lost.
How Do Companies Manage Data Privacy And Data Security
Companies that require to collect, store, use and handle large amounts of data, especially personal information of its clients and users, are mandated by laws ( differing from areas and regions) to keep that data safe. It is also the moral responsibility of the company to ensure that all data that it handles and stores is secure at all times. This is done through several stringent internal security mechanisms.
Access control is the first step towards keeping all data safe and secure. Only authorized persons have access to all data that is collected and stored by a company. This ensures that accountability can be placed on a limited number of people in case of a breach.
Authentication: Use of passwords, PIN numbers, biometrics (fingerprint / facial recognition / iris scanners), authentication numbers are required to access any data.
Encryption: Most companies encrypt their stored data so that no one can make sense of the encrypted matter. In this format, all data, including personal information and email communication, is encrypted wherein text characters are converted into incorrigible characters which only an authenticated software algorithm can decipher. Unlocking such encrypted data is not possible by anyone who gets illegal access to it.
Appropriate Data Erasure: Just as collecting data is crucial for your business, it is equally important that all data that you hold, once it become obsolete or has served its purpose, needs to be disposed of properly so that it does not fall in wrong hands. Merely deleting data from your systems will not clear it totally. As anyone would know, all data that is deleted can be easily retrieved even by a novice software expert. Hence, it is important that all such data that required to be safely deleted permanently, be erased or overwritten to ensure that the original data no longer exists on your systems or anywhere in the communication channels.
Data Assets: In just about a decade, the world has changed drastically when it comes to assets that companies and individuals hold. There was a time not long ago when assets meant tangible ones like buildings, equipment, machinery or vehicles. Today, a company or an individual holds more intangible assets than ever before. These include product blueprints, medical history, credit card information, passwords, usernames, employee details, trade secrets, formulations, technical and software details, etc. Companies today are able to manage tangible assets much better than intangible ones. One can secure the buildings and other hard assets by tagging them or installing cameras around, by insuring them against unforeseen damage or theft, but how can you protect intangible assets? Companies find it challenging to categorize and store data securely. Normally, all these assets are safely kept on company computers, servers or cloud, but all three are vulnerable to being hacked. When even govt. and govt. owned organization websites are hacked, one can only imagine the vulnerability of data owned and stored by common people. In wrong hands, this data theft can be hugely damaging to any organization or individual.
As with Human Resource (though some companies do that), data cannot be shown in your company’s account books as the company’s assets. However, companies are realizing the importance of data as a strategic asset and treat it that way to secure it. Any breach in data security implies breach of trust between the company and the customers or loss of your intellectual capital, as the case may be. Financial companies, Banks, Credit card companies, Hospitals, Educational Institutions possess enormous amounts of critical data about people and need to protect it tooth and nail.
All that data that your company has accumulated would be of no use if you don’t process it. A company, as a living organism, constantly generates, accumulates, consumes and processes data. Since data is being added all the time, it becomes pertinent that all that data will be processed at various levels and at various departments constantly. If the company does not keep a tab how this whole activity is being carried out, it will lose its hold on its most critical intangible asset.
Complying with the General Data Protection Regulation (In the EU) or the applicable laws is a key function of the Data Protection Officer. However, even before that, the company needs to be ready with the following-
- Data Policies and distribution of responsibilities and accountability: Even within the company, there must be a clear policy about the mode of collection of data, methods of storage and analysis, means of utilizing this data and the people in whose hands this data stays and passes from. Having a clear picture helps place responsibility and brings in accountability on part of those responsible in handling data. For ex. The Marketing Manager is in-charge of compiling all customer data from website, store footfall, inquiries, social media, etc.
- Sensitizing staff about data: Data that falls in the hands of those who do not realize its importance or who do not respect its privacy, would turn into a liability for the company. It is very important to impart appropriate training to staff to collect, store, use and dispose of data properly.
- Seamless transfer of data for processing: Various departments that collect and store data need to share this data with other departments so that it makes sense and can be used. Analyzing trends, noting customer preferences, cross checking for duplication, errors, false or contradicting data, managing stock and movement, sharing data with third party and passing on that information to the design team or the manufacturing team is a continuous activity.
Data Protection and Impact Assessment (DPIA)
Processes such as the Data Protection and Impact Assessment (DPIA) puts the onus of identifying and minimizing the data protection risks of any project on the company.
The DPIA of your company must ideally:
- Describe the nature, scope, context and purposes of the processing;
- Assess necessity, proportionality and compliance measures;
- Identify and assess risks to individuals in the event of an actual or possible breach; and
- Identify any additional measures to mitigate those risks.
High risk means an individual or even your or other organization may suffer a real damage or loss. A good DPIA is one that takes into account all kinds of risks and proactively works towards mitigating all of them. It puts in place checks and balances so that there is no lapse at any point. These risks are not just compliance risks, but also risks to the reputation and personal security of individuals when it comes to personal data breaches.
Data Subject Access Request
Several laws about data protection, including the GDPR, give the right to the individuals whose data has been collected and stored by others.
There are 8 data subject rights, one of which is the right to access.
Using this right, an individual can gain access to which data about him/her is being held, how and why it is being used and where.
This makes the companies that hold such personal data, accountable for properly collecting, storing, processing and using personal data of other individuals.
Any individual can demand to know how his personal data is being used without citing any specific reason for the same.
Not just the individual, but a parent on behalf of a child, a legal representative, a guardian or a friend can also do so with proper authorization documents to be submitted to the company.
The responsibility of verifying the identity of the data subject lies solely on the company holding the data and can be done through various means like email, photo identification, login information, etc.
Generally, it is the Data Privacy Officer (DPO) who responds to such requests after duly verifying the identity and within a timeframe. Only when a request is unfounded or excessive can it be declined and no fee can be charged for responding to any request.
How do companies ensure Data Privacy and Data Security
Companies have to be responsible towards maintaining the two- Data Privacy and Data Security. Towards this end, companies have built in systems and processes so that all data is kept secure at all times.
Data Audits: Ensure that all data is regularly audited and checked for possible or potential breaches.
Data Alerts: Ensure that any breach is immediately alerted and can be accurately tracked down to point out the person who has done so. Plugging the holes in time saves a lot of loss and agony.
Risk Assessment: Plugging loopholes in data management is key to keeping your data safe. A breach in data implies huge loss to customers and individuals and also to the company holding it. Data Security Risk Assessment is mandated under several Data Protection laws, including the GDPR.
What implies risk is also a matter of debate. Threats of breach, vulnerability to hacking or theft or unauthorized access are two real risks. This is where accountability for collection, storage, utilization and disposal becomes important. Companies that have data protection policies generally have systems in place that place the onus on people within the company to handle data securely. There are systems in place that makes things easy to do that. Identifying risk factors and taking all the necessary steps to mitigate those risks is the key role of the DPO. When data loopholes are spotted and action is taken in time, it helps secure data to a large extent. Classifying data based on risk assessment is also another way to do so.
Data Privacy Officer (DPO): Roles and responsibilities of people within an organization have seen dramatic changes in the recent past. New roles such as the Data Protection Officer have risen solely because data is considered an asset and all assets need to be secured. The GDPR mandates the appointment of a DPO and that his information must be sent to the authorities duly. This makes the company and the DPO accountable for any breach in customer data and the DPO can be held responsible for the same. The main role of the DPO is compliance to Data Security laws and regulations, but apart from that, he is also responsible for putting in place standard processes for collecting and holding data, training the staff, assessing the risk to data being held and handled and responding to Data Subject Requests. It is a continuous job to be alert to data risks and plug any loopholes in time.
Asset handler: By definition, asset is anything that is of value to you and your organization. That includes physical assets like buildings and equipment and information assets like data and technology. An Asset handler is the person designated to manage all assets, especially the intangible ones like data and information, which is crucial to today’s businesses. His task is more about handling these assets and keeping them safe from being hacked into or going into wrong hands.
Most Asset Handlers maintain an IAR (Information Asset Register) which lists all the assets that are owned and handled by the company. It also spells out where they are stored, who is responsible for their security and how. This makes it easy to trace and track assets whenever required and also to trace back in case of a leak.
As technology improves at a rapid pace, data gathering mechanisms also improve resulting in more emphasis on privacy and security. One needs to understand all the aspects of this entire spectrum to be cognizant of what actually is happening.
Did you notice any corrections to be made on this page? Submit your feedback here. We will take the necessary action.