Balancing Risk and Reward in IT Security


Should an organization be subject to a data breach, it could be a big problem for those affected, yet the organization may not be mandated to offer any kind of compensation. In this scenario, the risks associated with such a breach are relatively low, even if the risk of a breach is high. This problem is compounded by the ambiguities surrounding data privacy laws.

To give you an analogy, if I let someone look after my car, and they happened to leave the keys in the car, should they be liable if the car was stolen? I’m sure many would answer “Yes!” But of course, there would need to be evidence confirming that you actually lent them the car, and didn’t just give it to them. Such evidence would require some form of prior agreement, or contract.

As you can imagine, when it comes to data protection, there’s no incentive for organizations to prompt its users for such an agreement before processing their personal information, as it would introduce a risk, which could potentially reduce the reward. And many individual users are unlikely to be aware of the risks themselves, or even if they were, they wouldn’t have the authority to demand forming an agreement in advance. Alternatively, they may be aware of the risks, but consider the rewards associated with their endeavors to be justified.

Of course, many larger organizations already make use of data privacy agreements; however, many of these agreements are not designed to protect your personal data. For example, the iTunes privacy policy is 36 pages long. Do they really expect their users to read that? And more importantly, these are not really agreements, in as much as statements telling you what they are going to do with your data.

In this rapidly evolving digital paradigm, a means of coordinating or incentivizing the use of fair, mutually beneficial agreements, is becoming ever more important. Fortunately, a number of Government directives which could help protect people’s personal data, have already been implemented or proposed. The most notable of which is the GDPR.

The General Data Protection Regulation is an EU directive which will come into effect on May 25, 2018. It’s worth noting that the law applies to organizations, in any part of the world, that processes information belonging to EU citizens. Of course, there are those who consider the GDPR as a pervasive approach to protecting data privacy, yet one could argue that in order for such an operation to be effective, it requires extended territorial scope. I don’t have a strong opinion on the subject, but I can see the need for a centralized authority to co-ordinate a response to such issues. At the same time, co-ordination doesn’t necessarily require coercion. For example, in the context of market regulations, I generally believe that providing tools for consumers to regulate producers is a more efficient and effective approach.

However, when we’re dealing with something as boundless and opaque as the internet, a more centralized approach may at least get the job done quickly. To further illustrate my point, it wasn’t that long ago that we were using a large number of mobile phone chargers, all with different connectors. It was cumbersome and lead to clutter. Yet, these days it is rare to buy a mobile phone that doesn’t use a micro-USB charger. This transition happened within a relatively short period of time after the EU put pressure on the major mobile phone manufactures to form an agreement. However, had the EU passed a law which specified exactly what charger must be used, this could have potentially stifled innovation and lead to compatibility issues with manufactures outside the scope of EU regulations. It may be worth noting that the GDPR may be subject to similar issues. As such, I think it’s reasonable to be concerned about the consequences of the GDPR, but it will at least present the risks necessary to ensure that organizations are processing our personal information in a responsible manner.


About Author

Aidan Simister, global SVP for IT auditing, security and compliance vendor, Lepide Software