- Security TWENTY
- Women in Security Awards
Mike Weston, pictured, CEO of data science consultancy Profusion, discusses what issues will affect data protection and security in 2016.
When we write the book on the history of data in the early 21st century, I have no doubt 2015 will have a weighty chapter all to itself. The book itself may be fairly dull, but such is the case in life that ostensibly boring and technical things tend to have far reaching consequences for us all. This year, buried behind unwieldy titles of legislative initiatives and decisions by far-removed judicial bodies, were a series of profound changes to data protection and security. These initiatives have brought us to a crossroads: one path leads to a fragmented environment where businesses find it expensive and difficult to protect and manage data. The other way brings us to a more united data economy, where businesses and countries cooperate on data protection and security standards. My gut feeling is that by December 2016 we should know what road we have taken. Unfortunately, little of what happened in data protection in 2015 was good for consumers or businesses. Amid the repeated hacking of big companies we had a series of major legislative and legal changes. The end to Safe Harbour was a landmark decision, it put into stark relief how US, UK and European institutions are diverging in relation to data protection standards. Safe Harbour was agreed at the start of the millennium and created a framework to allow the transfer of data out of the EU to the US. Part of the deal allowed the US manage data at lower standards than EU member states. Sadly, the Snowden affair revealed just how low these standards are. Consequently, the European Court of Justice struck down the agreement, giving the US and EU until January to agree a replacement.
A new Safe Harbour agreement seems a long way off. In October, the US Senate passed The Cybersecurity Information Sharing Act. The Act should make it easier for US companies to share data with American security agencies. Given that around seven different US security agencies employing thousands of people could access and share this information, the result is to significantly erode online privacy standards in American.
These decisions taken together, along with the pending Microsoft judgement (more on that later), have created a situation where the US and EU are going in completely different directions on data protection and, by extension, data security standards. This fragmentation is more than just a chin-scratching, academic exercise. The consequence is likely to be serious disruption in the free movement of data across the world. For businesses, this means increased restrictions on how they manage and use data, resulting in higher costs both in relation to infrastructure and compliance.
A completely conceivable extension of this fragmentation is not just divergence in security standards, but even the idea of a truly ‘world-wide’ web itself. With the EU pushing for more oversight and a higher standard applied to privacy, along with its track record of prosecuting American companies, 2016 could mark when the EU holds businesses to a higher duty of care for protecting data. It is easy to envisage a scenario where another major hack results in the EU taking the businesses involved to task for failing to put adequate security standards in place. A similar state of affairs in the US is harder to picture with the Government and judiciary hell bent on eroding privacy protections. The net result will be US and European businesses playing by completely different data protection and security standards either side of the Atlantic. Taken to extreme that could lead to US businesses being unable to do business on this continent.
A perfect example of the attempted erosion of privacy in the US is the Microsoft case that should reach a conclusion in January. If the Federal Court in the US rules against Microsoft and allows the US Government to access data held in a data centre in the Republic of Ireland, we should expect serious repercussions. Cloud computing businesses will be the most severely affected and a dangerous precedent that other governments could follow could be set. Whatever happens the case will be appealed, therefore, expect this issue to rumble on for the rest of the year. 2016 is also likely to see the passage of the Investigatory Powers Bill in the UK. Like the Cybersecurity Act in the US, the Bill, in its current form, weakens data protection and individual privacy in favour of national security. Add to this, the likely agreement of new EU data protection legislation and the legal and compliance departments of data-heavy businesses (i.e. most companies) are going to have a hectic 2016.
Another factor to consider in 2016 is the continued growth of wearables and the Internet of Things. With more connected devices being bought the data security underpinning the ‘Internet of Things’ will become a big issue. There’s a great opportunity for businesses to come together and create rigorous data security and privacy standards. Thankfully, there does seem to be some appetite for cooperation. 2016 is going to be another banner year for data protection and security. We will undoubtedly see more serious data breaches. Data security professionals will continue their arms race with hackers and companies will continue to pour money in security. The X factor is the relationship between European and US authorities and whether the free flow of data can continue. Regrettably, the signs don’t look promising.