Threats to Data Privacy
The law provides that it is the policy of the State to protect the fundamental human right of privacy of communication while ensuring free flow of information to promote innovation and growth. The State also recognises its inherent obligation to ensure that personal information in information and communications systems in government and in the private sector are secured and protected.
We distinguish Data Security from Data Privacy. Data Security involves confidentiality, availability, integrity and compliance. Data Privacy involves accountability and assurance, the promotion of a culture of privacy with operational compliance and demonstrable compliance. Data Security is concerned with impact on data, Data Privacy is concerned with impact on people. Data Security governs the unauthorised while Data Privacy governs those authorised. Studies have shown that only 47% of data breach is caused by malicious attacks. The 53% involves system glitch (29%) and human error/negligence (24%).
Data breach come from both external attacks and internal weaknesses. At present, threats increase along with the rapid development and dependence to mobile technology.
Companies invest in expensive technologies, software and hardware, to protect information. However, a significant number of data breaches are due to internal weaknesses. These can cause huge losses to the organization and security issues. Among them are:
- Employee negligence
Careless and reckless employees who handle or have access to sensitive personal information pose a threat to data privacy. Examples include weak passwords in email, social media and poor web browsing practices. Short passwords, sharing of passwords or open access also allow cybercriminals to easily get information.
No amount of investment in the latest technological innovations can protect data privacy from human errors and negligence.
- Weak or lack of Information Security Policy
The company must ensure that there is a policy in place in access, handling, use and disposal of information. Standards have to be clearly defined and discussed with all personnel to ensure that no breaches occur.
- Malicious attacks
Common examples include the “to good to be true” email or message that entices the receiver to provide personal information in exchange for a grand prize. Another is the “emergency” message that raises a sense of urgency. Also common are the transmission of messages by unknown persons, hyperlinks and attachments that are actually fake persons, viruses and sites designed to obtain sensitive personal information.
Malware or “malicious software” include computer viruses, worms, Trojan horses, rootkit, ransomware, spyware, adware, scareware, among others. The intent is to infiltrate and infect the computers to compromise devices, disrupt service, steal data or monitor activities.
A denial-of-service or DoS attack seeks to disrupt a network’s service and make it unavailable to its intended and legitimate users. Attackers flood the network with useless traffic until the resources are overwhelmed causing it to crash.
This is an attack designed to intercept communication between two parties, say a consumer and a website, in an attempt to impersonate both parties and steal valuable personal information.
- The following are emerging attack platforms:
Mobile devices are repositories of sensitive data. Poor handling and/or lack of security makes it a vulnerable point of attack.
- Internet of things
The internet of things or IoT is the concept of interconnectedness of physical devices ranging from cellphones, cars, ovens, washing machines, headphones, lamps, to wearable devices via the internet. It espouses people-to-people, people-to-things and things-to-things relationships, intended to improve efficiency and promote a smart approach in doing things.
The National Privacy Commission provides for an integrated approach to address the threats to data privacy. They promote the “Five Pillars of Accountability and Compliance”. It involves organisational, physical and technical measures to develop a culture protective of privacy.