Data privacy continues to be a huge concern for everyone. More countries and organisations are taking privacy seriously, especially after governments and regulators have imposed stricter privacy regulations. Be it Europe’s GDPR or Malaysia’s Personal Data Protection Act, many companies are now finding adhering to privacy regulations a significant challenge and are not yet fully compliant.
In light of COVID-19, where every organisation today is collecting more personal information about customers and visitors, the urgency for businesses to comply with data protection and privacy laws are even more pressing than before. Contact tracing apps, for example, are becoming the best way to trace patients infected with COVID-19 and to control the spread of the pandemic.
At the same time, though, not everyone is thoroughly convinced about giving out their personal information. In Malaysia, the government’s contact tracing app, MySejahtera claims to not record or store any personal information or data apart from using the data to determine the movements of infected individuals. However, even so, many are still not entirely convinced in allowing the government to trace their movements.
According to Leonard Cheong, Managing Director of AdNovum Singapore and Vietnam, in countries where smartphone usage is widespread, contact tracing apps are the fastest and most scalable way for health authorities to conduct contact tracing. Such apps are now in use in several countries, including Singapore, Canada and Australia. Singapore has also gone a step further to issue wearable devices to those serving stay-home notices from 10th August onwards.
“Broadly speaking, if the contact tracing apps have been responsibly developed, there is no reason for the public to be concerned about using them. Being privacy-first includes ensuring that consent is obtained, only the minimum amount of data needed is collected, the data is accessible to only select health officials and is not shared with unrelated departments and that it is deleted after a fixed period. The apps should also be compliant with relevant local privacy laws”.
Leonard explained that if contact tracing information is being recorded through additional apps – such as in Singapore where citizens can use the SingPass mobile app to check-in to the places they visit – then additional privacy concerns around location data captured by the device should also be considered.
In this landscape, he said data privacy needs to be an ongoing conversation amongst all stakeholders involved. Governments and service providers need to educate the public on how their data is being used and the steps taken to protect it. He added that governments should also hold regular public dialogues to determine the pain points and address citizen concerns – similar to the online consultation conducted by the Singapore government on proposed changes to the local Personal Data Protection Act (PDPA).
Avoiding Data Breach
There is no denying that there has been an increase in security breaches during this crisis, which is why strict data privacy and security laws should be enforced at all times. During this economic downturn, compounded by COVID-19, it is essential to protect both the physical and virtual world.
For example, in March this year, details of credit cards issued by top banks in Singapore, Malaysia, the Philippines, Vietnam, Indonesia and Thailand were found to have been dumped online in a massive data breach. This is just one example of the massive breaches that are becoming more common.
“With COVID-19, businesses of all types are collecting highly sensitive personal information about their customers to facilitate contact tracing. This has created a new vulnerability that cybercriminals can exploit”.
Leonard highlighted that a large number of such businesses – grocery stores, condominium complexes or beauty salons, for example – have never had to deal with sensitive information such as passport and national ID numbers and are finding themselves without the right processes, tools and knowledge to be able to manage and safeguard this information adequately. In some cases, small businesses may not have the infrastructure and resources to divert towards compliance issues. Hence, there is a need for regulators to provide greater oversight, education, and support for businesses and enable them to establish secure data collection.
Additionally, he said that organisations need to revisit processes and infrastructure to ensure compliance as soon as possible not just to satisfy regulators but also to safeguard their own business against the ramifications of a potential breach.
“Customer trust, if lost due to a breach, cannot be easily regained”.
As such, the status and enforcement of data privacy regulation differ in various parts of the world. Some countries, such as Thailand, have granted businesses a reprieve by extending the enforcement date of local PDPA laws. However, they have been adamant that this should not be interpreted as a relaxation of the law. On the other hand, regulators in Singapore and the EU, for instance, have stated that enforcement actions will continue regardless of COVID-19.
Hence, Leonard believes that businesses should not operate under the assumption that this global crisis will create a loophole that allows them to delay compliance. Instead, they should use this opportunity to strengthen compliance culture within the organisation, enhance their bank of tools and establish the right processes for long-term success in privacy.
Also, businesses should look at privacy as a strategic, long term business objective. Maintaining consumer trust is the most crucial part of this equation. Even if regulators are lenient for a short period, consumers are unlikely to be forgiving once a breach takes place.
Securing Your Business
Cybercriminals are aware that remote workers are more vulnerable and are fully exploiting the fear and uncertainty created by this pandemic. As remote working has created a never-seen-before increase in distributed endpoints and access from unknown networks, more users are also using their personal devices to access enterprise materials and conduct calls, creating a larger attack surface.
At the same time, security teams have very little visibility into home networks. Hence, the biggest challenge for security teams is to find that fine balance between remote access and security, without compromising ease of use.
According to Leonard, businesses should manage these new security threats by:
Reassessing existing security protocol and processes - First and foremost, businesses should review their current measures and assess if they are robust enough for this new landscape. For example, remote access should always be via VPN with encryption authentication technology in place, especially for sensitive data. Where existing technology is found to be insufficient, advanced and layered protection should be added. We are living in unprecedented times and attackers are continuously coming up with new ways to exploit vulnerabilities. Businesses can protect against further, never-seen-before attacks by used technologies such as machine learning, biometrics and behaviour-based continuous authentication to detect and manage new threats.
Being proactive and building in security-by-design in support of business ops - With a complex and evolving threat landscape, it is vital for businesses to be proactive instead of reactive in their approach to security investment. In order to build a resilient security strategy, they should carry out regular risk assessments. This includes identifying individuals/executives in the organisation who have access to commercially sensitive information and working to secure them at home too. Any remote working tools and processes should also be continually assessed to ensure that they meet security requirements.
Educating remote employees to collaborate smartly - Security teams need to take the lead on educating employees to use remote collaboration tools intelligently. This includes taking simple steps such as enabling multi-factor authentication, ensuring that all meetings are set up with passwords, ensuring sensitive meetings are not labelled with details that could draw an attacker’s attention, using a password manager etc. It is also essential to continuously educate employees on data privacy and the importance of protecting customer information to mitigate the risk of costly incidents, reputational harm, regulatory penalties and strengthen customer trust in the organisation. This knowledge must also be regularly refreshed so that all teams are up to date with the latest requirements.
Managing Concerns on Privacy
Leonard pointed out that AdNovum focuses on three critical organisational pillars which are People, Process and Technology, to enable businesses to manage this task more effectively.
For People, Leonard said trends such as remote working and bring-your-own-device, coupled with individual variable levels of knowledge about privacy issues, means that educating employees is a crucial aspect of maintaining compliance. Businesses must create and instil privacy- and security-by-design mindset in all their employees – from the intern to the CEO.
“At AdNovum, we inculcate an engineering approach, where privacy is built into our solutions from design to launch and maintenance”.
For Processes, businesses should tailor and implement cybersecurity processes that cater to their size, industry and business goals. They must also have the discipline – and this is not just limited to IT but across all departments – to maintain and follow the processes established.
“We have codified our work processes according to the ten core principles of the AdNovum Developer Guidelines. These include standards for ensuring that security is not an afterthought and that the team works towards a continuous delivery set up”.
And for Technology, one of the techniques that businesses can leverage is a strong Identity and Access Management (IAM) solution. Federated IAM enables seamless customer experiences so that security processes such as login, authentication or preference management do not add friction. Additionally, they allow businesses to secure personal data across public networks and ensure that it is being collected is following the varied and frequently changing privacy regulations across the world. Such technology has been tested and proven through government-led bug bounty programmes and independent security research. In the long run, leveraging such technology can also help businesses manage cost and increase efficiency.
“While AdNovum supports businesses in IAM, our role goes beyond this to being a trusted partner and enabling businesses to master their digital potential and reimagine business models, by unlocking the power of new technology such as blockchain, robotic process automation and machine learning”, stated Leonard.