If networks are the pipes that we send words and pictures along, to come out on the other side of the world instantly, that requires cyber security, data is like the oil that flows along physical pipes. Last year the United Nations published a ‘Global Digital Compact’, that would set out principles, objectives and actions for advancing an open, free, secure and human-centred digital future. The UN called for ‘the same safe design approaches and standards that we use across physical industries – cars, food, pharmaceuticals and toys – to digital technologies and platforms’.
Meg Davis, professor of Digital Health and Rights at the University of Warwick, recently pointed out how there’s little to no actual governance of digital tech and artificial intelligence (AI). She said: “AI systems lack transparency and there is very little human oversight or accountability for the harms these systems can cause. What’s more, the agenda for tech and AI is being shaped by the private sector in very few countries, but these companies are shaping the impacts AI is having on people globally.
“We need to turn this power dynamic around and demand that rights be at the centre of AI and digital governance.”
Among the risks to human rights she aired, what if some are denied job interviews or financial loans, on the basis of discriminatory AI; or facial recognition and crime prediction tools discriminate against groups, because the AI was trained on incomplete data.
ICO
In the UK, the data privacy regulator the ICO (Information Commissioner’s Office) is fining companies for SMS and calls, but only reprimanding for data breaches. Companies, and the regulator, have to do more, it’s claimed.
The high-profile introduction of GDPR in 2018 was meant to prove that the authorities were taking the threat from cyber-criminals and the mis-use of data seriously. There were promises of major consequences for every business that failed to adhere to the regulation, but as the years have gone by we have seen that those organisations suffering data breaches have been, frankly, wrapped on the knuckles, with no further consequences, said AJ Thompson, CCO at the IT firm Northdoor plc.
Thompson, pictured, said: “In contrast the ICO has been handing out quite large fines to those companies that have been sending unsolicited SMS, texts and calls. Although, undoubtedly, this is an annoying and fairly serious misuse of people’s details, it cannot come close to the exposure of sensitive data.
“A company called ‘House Hold Appliances’, for example was fined £55k for making marketing calls, and yet we see the Police Services Northern Ireland given a rap on the knuckles for preventing sensitive personal data being leaked – a particularly dangerous example considering the political and potentially life-threatening consequences of such a data breach.” Thompson was referring to the personal information of 9,483 police officers and staff working at the PSNI published on a public website after a Freedom of Information request, as featured in the October 2023 print edition of Professional Security Magazine.
“Other examples of where companies have been reprimanded, rather than more severely punished, include Bank of Ireland, Finham Park Multi-Academy Trust. NHS Fife and many more. There is an argument that fining public sector organisations thousands of pounds is not going to do anyone any good, in which case other, appropriate, but effective measures need to be put in place.
“The regularity of high-profile data breaches also points to the fact that many are taking regulation at face value. By treating regulation like tick-box exercise and forgetting the reasons behind the regulation, they are giving the advantage to the cyber-criminal. Adherence to regulation does not equal security. Cyber-criminals are certainly not resting on their laurels, but rather, are continually looking for new, sophisticated methods to gain access to data. As a result, organisations must be continually looking at their defences and what the latest threats look like, to give themselves the best chance of keeping the cyber-criminal out.
“More serious consequences from regulators for those companies that have failed to adhere to regulation, is one step towards taking the fight back to cyber-criminals. Equally, organisations must take more responsibility themselves for ensuring that regulation is not treated as a tick-box exercise, but rather a starting point for their cyber-defences.”
Legal sector
Insider data breaches continue to pose a serious threat to the UK legal sector, according to NetDocuments. Based on data from the ICO, covering from the third quarter of 2022 to the second quarter of 2023, most (60 per cent) of identified data breaches in the UK legal sector were caused by insiders. By comparison, 40 percent of data breaches came from outside threats, such as external malicious actors. Almost half of the cases (49 percent) impacted customers, and 13 percent impacted employees. Basic personal information (49 percent), economic and financial data (13 percent), health data (10 percent), and official documents (10 percent) were the main types of data breached in the legal sector.
David Hansen, VP, Compliance at NetDocuments said: “Law firms and legal institutions handle vast amounts of sensitive and confidential information, which puts them at increased risk of cyber-attacks. But it’s not just external threats like ransomware that law firms need to watch out for. Law firms must be vigilant to insider data breaches – whether intentional or accidental. This requires robust cyber security measures to govern access to documents, without hampering staff productivity.
“For law firms, guarding against insider threats is not just a matter of protecting data; it’s a commitment to safeguarding client and employee confidentiality.”
