‘Big Data’- Separating The Wheat From The Chaff: Part Three

 

Data security implications.

 

What this means in practical terms is that vast amounts of data will come flowing into organisations who will look to clump it all together for convenience – looking for trends based on behavioural/ transactional/ relational data which will be pulled together and kept it in one place for ease of reference and sharing; this is likely to be either in-house or in the ‘cloud’.

 

This fact immediately raises a number of associated questions that may, or may not be of concern at corporate level; these should be:

 

 

  • What have we got? Is it information or data? (considered as one for the purpose of this White Paper)

  • Who owns the data?

  • Is it ours with IPR or other commercial value to others and must be appropriately protected?

  • Are there any caveats on its’ use i.e. Data Protection caveats on collection and retention

  • In whose jurisdiction was it collected, held, manipulated, shared etc?

    • Is the data being used for the purpose for which it was collected?

    • Is the length of time the data is being held appropriate?

  • Is it personal data?

    • If so did the data subject give their permission for that data to be collected?

    • Did they give permission for that data to be shared? (The dreaded Opt-in or Opt-out debate, and a particular problem)

  • With whom may they legally ‘share’ the data, internally, nationally, internationally?

  • Are there regulations and regulators that would seek to monitor and prescribe on use?

 

 

Part of the problem is that current legal and regulatory frameworks are trailing behind and do not currently sweep up this new data paradigm. Legislation is normally reactive not predictive. Generally the regulators have yet to proclaim in this particular regard, but this does not change the basic fact that all data acquired, used and stored by whomever must still comply with EU legislation, National DPA and associated regulations.

 

 

There should also be an understanding, and concern regarding, how the concept of Aggregation, Accumulation and Association works. This is a core commercial and intelligence exploitation of data concept but it carries with it associated legal, regulatory and Privacy issues as well. It is likely that corporate entities are storing information that requires adequate and appropriate protection from cyber-attack and unauthorised exploitation, but also they are likely to be collecting, storing and exploiting information and data that falls foul of the Data Protection Act and other regulations internationally.

 

 

In our experience, from the corporate perspective, this area is mostly ignored or at best there are varying levels of corporate ignorance. Earlier this year, Dame Pauline Neville- Jones,a former security minister who is now the HM Government’s special representative to business on cyber-security warned:

 

 

There is a vast swathe of corporates who have valuable intellectual property; much more valuable than they understand which is inadequately protected…the level of awareness is nothing like it needs to be. This is a very, very serious state of affairs.”

 

 

At the commercial and corporate level the executive solution to both the ‘cyber’ and the’ big data’ challenge is that it is simply a ‘compliance’ issue and thus handed down the management chain. Tempting though it may be to pass the buck, this is firmly an executive, Board level legal responsibility.

 

 

Additionally, if one considers who could be looking at the data, the issues become more significant.

 

There is a real threat that the inadequately protected data could be mined by almost anyone:

 

The potential for untrained/ ignorant or malign individuals, or organisations, to gain access to or give access to (and potentially alter) huge amounts of personal and corporate data potentially opens up significant issues:

 

  • Companies might inadvertently be using aggregated information to which they are simply not entitled

  • Individuals could get access to information about other individuals or families or companies that could be viewed as ‘private’

  • Criminals and others suitably equipped and motivated (who can also acquire the means to aggregate ‘Big Data’) would equally see this as a potentially lucrative global opportunity.

 

Consider a data set that has aggregated data from emails, social media accounts, travel bookings, weblogs, Company’s House, loyalty cards, credit reference agencies, insurance companies, automatic number plate readers, Google, photos and videos on YouTube and CCTV footage.

 

This could then be combined into a data set that has name, gender, age, address, nationality, passport and social security details, social standing, financial information, number of children, schools, travel patterns, household purchases, political affiliations, religion and religious affiliations etc. and this data would be easily available outside the country in which it was generated.

 

Considering for a moment UK government ‘best practice’: which indicates that using the metrics of Confidentiality (Security), Integrity, Availability and Privacy this data would conventionally warrant protection in terms of its’ impact to the individual or corporate body for loss or compromise. Such information or data would require some means of appropriate “assurance process that ensures controls and safeguards be in place to prevent unauthorised access”.

 

 

There is evidence to suggest that most users of Big Data have simply not given this concept and duty a moment’s thought.

 

 

Effectively they are ‘running blind’ and relying on the conventional mantra, ‘if it costs me money, I don’t want to know and when it fails, fix it’. It is far better to predict and prevent failure than to experience failure and fix it, having to deal with significant reputational fallout and damage in the process. Add to this the little known and understood implications to data held by US companies who are under an obligation to share any and all data under their control, anywhere to the US Federal Authorities if so requested under the Patriot Act (The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001). This places executives in a difficult position with other legislative and regulatory regimes that will forbid such disclosures and place them in ‘double jeopardy’ between a rock and a hard place.

 

Summary

 

From a compliance perspective there are a bewildering array of ‘Tools, Policies and Processes’ that were designed for another problem and not this one whose scope is enormous.

 

At executive level ‘Big Data’ at whatever level of definition and opportunity is the “Elephant in the room”, dominating, powerful and dangerous if mishandled. Even following the advice, ‘first cut the Elephant into bite sized chunks’ ‘Big Data’ is a challenge not well understood.

 

This is a Wake up Call to:

 

  • Understand what Big Data is and what it is not

  • Realise your opportunity and accept that with it come added responsibilities

  • Understand the concept of Predict and Prevent problems before failure bites, ignorance is no defence when failure strikes

 

___________________________________

This is the final instalment of a three-part story on Big Data – part one here, and part two is available here.

Data security implications.

What this means in practical terms is that vast amounts of data will come flowing into organisations who will look to clump it all together for convenience – looking for trends based on behavioural/ transactional/ relational data which will be pulled together and kept it in one place for ease of reference and sharing; this is likely to be either in-house or in the ‘cloud’.

This fact immediately raises a number of associated questions that may, or may not be of concern at corporate level; these should be:

  • What have we got? Is it information or data? (considered as one for the purpose of this White Paper)

  • Who owns the data?

  • Is it ours with IPR or other commercial value to others and must be appropriately protected?

  • Are there any caveats on its’ use i.e. Data Protection caveats on collection and retention

  • In whose jurisdiction was it collected, held, manipulated, shared etc?

    • Is the data being used for the purpose for which it was collected?

    • Is the length of time the data is being held appropriate?

  • Is it personal data?

    • If so did the data subject give their permission for that data to be collected?

    • Did they give permission for that data to be shared? (The dreaded Opt-in or Opt-out debate, and a particular problem)

  • With whom may they legally ‘share’ the data, internally, nationally, internationally?

  • Are there regulations and regulators that would seek to monitor and prescribe on use?

Part of the problem is that current legal and regulatory frameworks are trailing behind and do not currently sweep up this new data paradigm. Legislation is normally reactive not predictive. Generally the regulators have yet to proclaim in this particular regard, but this does not change the basic fact that all data acquired, used and stored by whomever must still comply with EU legislation, National DPA and associated regulations.

There should also be an understanding, and concern regarding, how the concept of Aggregation, Accumulation and Association works. This is a core commercial and intelligence exploitation of data concept but it carries with it associated legal, regulatory and Privacy issues as well. It is likely that corporate entities are storing information that requires adequate and appropriate protection from cyber-attack and unauthorised exploitation, but also they are likely to be collecting, storing and exploiting information and data that falls foul of the Data Protection Act and other regulations internationally.

In our experience, from the corporate perspective, this area is mostly ignored or at best there are varying levels of corporate ignorance. Earlier this year, Dame Pauline Neville- Jones,a former security minister who is now the HM Government’s special representative to business on cyber-security warned:

There is a vast swathe of corporates who have valuable intellectual property; much more valuable than they understand which is inadequately protected…the level of awareness is nothing like it needs to be. This is a very, very serious state of affairs.”

At the commercial and corporate level the executive solution to both the ‘cyber’ and the’ big data’ challenge is that it is simply a ‘compliance’ issue and thus handed down the management chain. Tempting though it may be to pass the buck, this is firmly an executive, Board level legal responsibility.

Additionally, if one considers who could be looking at the data, the issues become more significant.

There is a real threat that the inadequately protected data could be mined by almost anyone:

The potential for untrained/ ignorant or malign individuals, or organisations, to gain access to or give access to (and potentially alter) huge amounts of personal and corporate data potentially opens up significant issues:

  • Companies might inadvertently be using aggregated information to which they are simply not entitled

  • Individuals could get access to information about other individuals or families or companies that could be viewed as ‘private’

  • Criminals and others suitably equipped and motivated (who can also acquire the means to aggregate ‘Big Data’) would equally see this as a potentially lucrative global opportunity.

Consider a data set that has aggregated data from emails, social media accounts, travel bookings, weblogs, Company’s House, loyalty cards, credit reference agencies, insurance companies, automatic number plate readers, Google, photos and videos on YouTube and CCTV footage.

This could then be combined into a data set that has name, gender, age, address, nationality, passport and social security details, social standing, financial information, number of children, schools, travel patterns, household purchases, political affiliations, religion and religious affiliations etc. and this data would be easily available outside the country in which it was generated.

Considering for a moment UK government ‘best practice’: which indicates that using the metrics of Confidentiality (Security), Integrity, Availability and Privacy this data would conventionally warrant protection in terms of its’ impact to the individual or corporate body for loss or compromise. Such information or data would require some means of appropriate “assurance process that ensures controls and safeguards be in place to prevent unauthorised access”.

There is evidence to suggest that most users of Big Data have simply not given this concept and duty a moment’s thought.

Effectively they are ‘running blind’ and relying on the conventional mantra, ‘if it costs me money, I don’t want to know and when it fails, fix it’. It is far better to predict and prevent failure than to experience failure and fix it, having to deal with significant reputational fallout and damage in the process. Add to this the little known and understood implications to data held by US companies who are under an obligation to share any and all data under their control, anywhere to the US Federal Authorities if so requested under the Patriot Act (The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001). This places executives in a difficult position with other legislative and regulatory regimes that will forbid such disclosures and place them in ‘double jeopardy’ between a rock and a hard place.

Summary

From a compliance perspective there are a bewildering array of ‘Tools, Policies and Processes’ that were designed for another problem and not this one whose scope is enormous.

At executive level ‘Big Data’ at whatever level of definition and opportunity is the “Elephant in the room”, dominating, powerful and dangerous if mishandled. Even following the advice, ‘first cut the Elephant into bite sized chunks’ ‘Big Data’ is a challenge not well understood.

This is a Wake up Call to:

  • Understand what Big Data is and what it is not

  • Realise your opportunity and accept that with it come added responsibilities

  • Understand the concept of Predict and Prevent problems before failure bites, ignorance is no defence when failure strikes

This entry was posted in Projects and Programmes. Bookmark the permalink.

Comments are closed.