This article has been written by Nishant Tyagi, pursuing MBA with Specialisation in Data Protection and Privacy Management (From Swiss School of Management) and has been edited by Oishika Banerji (Team Lawsikho).
It has been published by Rachit Garg.
Table of Contents
Introduction
The world is rapidly changing, and with it, the way we store and manage information. As technology continues to evolve, the storage of sensitive information has become a major concern for individuals, businesses, and governments alike. With the increasing reliance on digital data and the threat of cyber-attacks, the issue of data security has become a topic of great importance. In the digital age, data security has become a top priority for individuals and organisations alike. With the increasing amount of sensitive information being stored and shared online, it’s essential to ensure that this data is protected from unauthorised access and theft. However, with the rapid advancements in technology and the increasing sophistication of cybercriminals, many people question whether data security is a myth or a reality. This article aims to explore this question in-depth and provide a comprehensive overview of the current state of data security.
The reality of data security
Data security refers to the measures taken to protect sensitive information from unauthorised access, use, disclosure, disruption, modification, or destruction. With the increasing amount of personal and confidential information stored in digital form, data security has become a critical concern for both businesses and individuals. The impact of data breaches can be devastating, with consequences ranging from the loss of sensitive information to damage to a company’s reputation. The potential for financial loss and identity theft also make data security a concern for consumers.
One of the most compelling arguments for the reality of data security is the vast array of tools and technologies available to protect data. From firewalls and antivirus software to encryption and multi-factor authentication, there are numerous ways to secure data and prevent unauthorised access.
The threat of data breaches is not a new one. However, with the growth of technology and the increasing sophistication of cyber-attacks, the importance of data security has only grown. The recent high-profile data breaches, such as the Equifax data breach in 2017, have highlighted the need for robust data security measures. The Equifax breach resulted in the compromise of the personal information of approximately 147 million individuals, including names, addresses, social security numbers, and birth dates. This serves as a stark reminder of the potential consequences of poor data security practices.
One of the main reasons for the growing concern over data security is the increasing reliance on technology. As more and more sensitive information is stored in digital form, the potential for data breaches increases. This is especially true for companies that collect and store large amounts of customer data, such as financial institutions, healthcare providers, and retailers. The rise of cloud computing has also increased the potential for data breaches, as companies are now storing sensitive information on servers owned and operated by third-party providers.
Another factor that has contributed to the growing concern over data security is the increasing sophistication of cyber-attacks. Today’s hackers have access to more advanced tools and techniques than ever before, and they are using these tools to launch increasingly sophisticated attacks. For example, phishing scams, which use fake emails or websites to trick individuals into revealing sensitive information, are becoming increasingly sophisticated. In addition, the rise of ransomware attacks, where hackers demand payment in exchange for the release of sensitive data, has added another layer of concern.
The myth surrounding data security
While there are compelling arguments for the reality of data security, there are also those who argue that data security is a myth. Despite the growing concern over data security, many businesses and individuals still believe that it is a myth. They believe that data breaches are simply the cost of doing business in a digital world and that there is no real way to protect against them. This is a dangerous attitude, as it fails to take into account the serious consequences that can result from a data breach. In addition, it fails to recognize the steps that can be taken to mitigate the risk of a data breach, such as implementing strong security protocols, conducting regular security assessments, and training employees on best practices for data security. One of the main arguments is that no matter what measures are taken to protect data, it is always possible for cybercriminals to find a way to access it.
For example, despite the widespread use of encryption, cybercriminals can still use advanced hacking techniques to gain access to encrypted data. Furthermore, even the most secure systems can be vulnerable to human error, such as employees who inadvertently expose sensitive information or fall for phishing scams.
Another argument for the myth of data security is that the increasing amount of data being generated and stored makes it nearly impossible to protect all of it. With the growth of the Internet of Things (IoT) and the increasing use of cloud computing, the amount of data being generated and stored is growing at an unprecedented rate, making it increasingly difficult to protect all of this data.
In addition, the increasing sophistication of cybercriminals makes it even more challenging to protect data. Cybercriminals are constantly finding new and innovative ways to steal data, and it can be difficult for organisations and individuals to keep up with these developments.
Laws surrounding data security
When it comes to data protection, the legal framework that needs to be adopted must be a holistic approach consisting of legal, administrative, and technical safeguards, all functioning robustly in interdependence with each other. Every ID system must be designed with a legal framework for protecting individual data, privacy, and user rights. Several countries have successfully adopted general data protection and privacy laws that regulate data flow among public and private-sector activities. Being in line with international law, these data protection legislations are divergent and flexible to be easily modifiable as per requirements. Some of the prime traits they are incorporated with have been listed hereunder:
Specifying the usage of personal data:
Collection of personal data should be limited only to the purposes specified in the reference law which by itself will ensure that personal data collected are not used in various places thereby inviting the majority of issues in relation to them. It is therefore the governing legislation that prevents personal data fabrication. This will also ensure that the data collected have been consensual thereby avoiding individuals in such regard being kept in grey.
Minimum collection of necessary data:
Whatever the purpose, the governing law is to ensure that data collected must be proportionate to the purpose of the ID system, so as to avoid increased privacy risks with every amount of data being collected and processed. Therefore, data collection must be limited to the fulfilment of the intended purpose behind it and nothing beyond that.
Need for the collection of personal data to be lawful:
It is the governing law that validates the collection of personal data only after the same has been obtained with consent from the data provider, has abided by contractual necessity with the provider and is in conformity with the protection of fundamental public interests. Collection of data, otherwise to these grounds would categorise it as an offence.
Ensuring fairness, transparency and accuracy in data collection:
Fairness, transparency and accuracy are the three fundamental pillars of data collection. Whenever there is any dispute that arises in relation to data acquisition or collection, these pillars are looked out for. While fairness is a term that is very much related to our previous point which is the lawful nature of data accumulation, transparency signifies that the relationship between the data provider and collector must not be like a spider web, instead should be made of clarity that makes both aware of each other’s activities. Accuracy in data collection ensures that the data collected is not in the wrong hands thereby initiating fraudulent activities associated with it. Therefore, personal data must be accurate and updated.
Privacy-enhancing technologies (PETs):
The governing law must provide provisions that facilitate the use of technology to eliminate privacy issues in relation to data collection. PETs are prime examples of technologies made with an aim to protect privacy rights by means of limiting unnecessary processing of personal data thereby making room for compliance with data protection rules.
Ensuring accountability in data collection:
The governing law must be laying down the establishment of an independent and specialised authoritative body that will be empowered to handle data collection disputes and privacy issues which arise in day to day functioning of data collectors and processors. The authority will also ensure that the principles laid down in the above points are complied with.
Data security in USA vis a vis UK
It is essential to note that the United States of America (USA) and the United Kingdom (UK) have been especially discussed here for both being developed nations, and an idea as to how these nations govern huge amounts of personal data that are collected, is required.
Although the USA does not have a comprehensive federal privacy law for ensuring the security of collected and processed data, the Federal Trade Commission (FTC) has been the principal enforcer of web laws that are available in the States. It is ideal to state that the FTC had reached a settlement with internet giant, Google in 2012 after the latter misrepresented its privacy policies to its users in regard to the service it delivers. A sum of $22.5 million was agreed by Google to be paid by it as a penalty alongside changing its alleged privacy practices. Further, FTC had also taken action against social media mammoth, Facebook in 2018 for deceiving users in regard to their potential to control the visibility of the personal information of its users. Under a settlement with the FTC, Facebook had agreed to pay a penalty of $5 billion thereby also making significant changes to its privacy policies.
A prominent role towards securing consumers’ privacy is played by California Consumer Privacy Act, 2018 (CCPA) which allows consumers more control over the personal information that businesses collect about them than the data collectors. Although it applies only to organisations that carry out business in California, CCPA provides enforcement power to the residents by means of carrying out litigation against violating companies.
CCPA when compared with the comprehensive privacy law of the European Union (EU), General Data Protection Regulation (GDPR), can be said to be convergent in its applicability as GDPR is applicable to all organisations worldwide that monitor the data of EU citizens. GDPR further comes with consistent enforcement as it levies heavy fines against companies in violation with data collected thereby acting as a strong deterrent holder for infringers of data privacy. GDPR can also be said to have a consistent oversight in comparison to CCPA for while the former is in favour of the appointment of a data protection officer to oversee compliance, the latter does not require the appointment of any such officer.
India and data security : a long road ahead
India being a developing nation, has been experimenting with data protection laws for a long time now. The Indian Constitution does not expressly talk about data protection but has outlined the right to privacy as a fundamental right under Article 21 of Part III of the Indian Constitution. The lack of any specific and comprehensive legislation for data protection has burdened the shoulder of the Information Technology Act, of 2000 which has now come up to be recognised as a toothless tiger. The statute that was born in 2000 has been battling technological hurdles for a long time now with its overused provisions being unsuccessful in countering data privacy issues.
The Information Technology Act, 2000 has been dealing with the issues relating to the payment of compensation (civil remedy) and punishment (criminal remedies) in cases of wrongful disclosure and misuse of personal data collected which also includes breach of contractual terms in relation to personal data. Section 43 A of the Act of 2000 provides that any body corporate who is involved in possessing, dealing or handling any amount of sensitive personal data, if appears negligent in implementation and maintenance of reasonable security practices thereby resulting in wrongful loss or wrongful gain to any third person, then such bodies would be made liable to pay damages to the aggrieved person. It is significant to state that there lies no upper limit for the compensation that can be claimed by the aggrieved party in such circumstances.
It is necessary to mention that on 18 November 2022, the Indian government had come up with a draft privacy law by the name of the Digital Personal Data Protection Bill. The Bill was formulated with the intention to facilitate the Indian government to focus on technology policy in a robust and holistic manner. On Opposition parties objecting to such legislation being introduced, the Bill was withdrawn by the government. Thus India currently is no home for any data protection legislation and all one can wish for is comprehensive legislation in the field soon for the future is the new present.
Mitigating the risk surrounding data security
So, what can be done to ensure that data security is a reality, rather than a myth? There are several steps that businesses and individuals can take to protect themselves against data breaches.
Implement strong security protocols
The first step in ensuring data security is to implement strong security protocols. This includes using robust encryption algorithms to protect sensitive information, implementing firewalls to block unauthorised access, and using strong passwords to prevent unauthorised access to sensitive information. In addition, companies should regularly update their security protocols to stay ahead of emerging threats.
Conduct regular security assessments
It is important for businesses to regularly conduct security assessments to identify potential vulnerabilities and address them in a timely manner. This includes regular penetration testing to identify security weaknesses, as well as regular reviews of security policies and procedures to ensure they are up-to-date and effective. In addition, companies should also conduct regular audits of their data storage and management practices to identify any areas where improvements can be made.
Train employees on best practices for data security
Employee education and training is critical to the success of any data security program. This includes regular training on best practices for data security, such as using strong passwords, avoiding phishing scams, and reporting suspicious activity. In addition, employees should also be made aware of the consequences of data breaches, and how they can help to prevent them from occurring.
Using cloud services from reputable providers
For companies that rely on cloud services to store and manage sensitive information, it is critical to choose a reputable provider that has a strong track record of protecting customer data. This includes conducting regular security assessments and implementing robust security protocols to prevent unauthorised access and data breaches. In addition, companies should also consider using multi-factor authentication to add an extra layer of security to their cloud services.
Keeping software up-to-date
One of the most effective ways to prevent data breaches is to keep all software, including operating systems and applications, up-to-date. This is because software updates often include critical security patches that address known vulnerabilities. By keeping software up-to-date, businesses can reduce the risk of a data breach and protect themselves against emerging threats.
Conclusion
In conclusion, data security is not a myth but a reality that requires constant attention and effort. By taking the necessary steps to protect sensitive information, businesses and individuals can reduce the risk of data breaches and ensure that their sensitive information is protected from unauthorised access, use, disclosure, disruption, modification, or destruction. Whether it is implementing strong security protocols, conducting regular security assessments, training employees on best practices for data security, using cloud services from reputable providers, or keeping software up-to-date, there are many steps that can be taken to ensure data security is a reality.
While there are compelling arguments for both the reality and the myth of data security, it’s clear that the threat of unauthorised access and theft will always be present. The best way to ensure the security of your data is to stay informed about the latest developments in technology and cybercrime and to take proactive steps to protect your data, such as using encryption, multi-factor authentication, and staying vigilant against phishing scams.
Ultimately, the reality of data security is that it is an ongoing battle, and while it is possible to secure data, it is never completely infallible. However, by being proactive and taking steps to protect your data, you can significantly reduce the risk of data breaches and cyber-attacks.
References
- https://www.mondaq.com/india/data-protection/655034/data-protection-laws-in-india—everything-you-must-know.
- https://www.cs.purdue.edu/homes/bertino/sdm13.pdf.
- https://www.academia.edu/28927166/Data_Security_and_Privacy_Concepts_Approaches_and_Research_Directions.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.