I remember sitting next to my mother in the waiting room of numerous doctors’ offices – all outfitted nearly the same: brown chairs with wooden armrests, scuffed industrial carpet, receptionist behind a sliding glass window. My mom would hunch over a clipboard thick with paperwork, huffing with indignation. Why is it necessary for a dermatologist to know my educational attainment? As a lawyer, she was adamant that she should only provide need-to-know information. I don’t see why an internist needs my family’s combined income. And some things were nonnegotiable: I am not giving this cardiologist my social security number.
I would squirm in my seat, uncomfortable with her rocking the boat. Just fill out the form, I thought. What’s the big deal? This was well before the era of identity theft, massive data breaches, and comprehensive privacy regulations. The receptionists were always perplexed by her push back, as if no one had ever contested the ask, certainly not a woman. They would call her back to the window: Please fill in all the empty boxes. It usually ended in a stalemate.
It turns out my mother was a bit ahead of her time. Today, topics of data privacy and cybersecurity are top of mind, with new cases making headlines nearly every day. This past week it was the Colonial Pipeline ransomware incident, in which the company paid nearly $5 million to recover data stolen by cybercriminals so it could reopen the fuel pipeline that services a large portion of the southeastern United States. Last month, we learned about the SolarWinds breach, where hackers added malicious code to the IT company’s software, leaving its customers (including U.S. governmental agencies and private companies) open to hackers. A few years ago, Marriott International announced that attackers had stolen the passport and credit card numbers of 500 million customers. Before that it was credit bureau Equifax, where an application vulnerability exposed social security numbers, birth dates, and addresses of nearly 150 million consumers.
Unfortunately, these are just a few examples of many recent data breaches – incidents in which private or confidential information was accessed without permission. In 2020 alone, there were nearly 4,000 confirmed global data breaches, with a cyberattack occurring every 39 seconds. On average, each breach cost $3.86 million and took 280 days to identify and contain. Costs vary considerably by country and industry, with the United States and healthcare topping the lists. Nearly 80% of breaches involve customer personally identifiable information (PII).
Hacking has become an underground art form, where some of the most tech savvy individuals exploit cybersecurity defenses. Not all hackers are malicious; some ethical hackers test for vulnerabilities, identify security holes, expose scams, and help strengthen defenses. But malicious hackers do real damage – stealing credentials, sensitive information, financial data, and more. Attacks are often a combination of sophisticated technology and social engineering. The most common cyberattacks are ransomware (systems are locked down until a target pays a hefty ransom, as in the recent Colonial Pipeline incident), malware (malicious software that harmfully probes systems, like in the SolarWinds hack), and phishing (fraudulent emails that get you to click a malicious link or download an infected attachment).
Once hackers get a hold of sensitive information, they may siphon money from bank accounts, make purchases, or sell data to other criminals. Some use the personal information garnered to assume another’s identity and commit criminal acts. Identity theft has been on the rise. In the U.S. alone, there were more than 1.3 million reports of identity theft in 2020, double that of the prior year. Using the appropriated information, thieves apply for government benefits, open new credit card accounts, secure personal or business loans, and commit tax fraud.
Regulations play an important role in protecting data privacy. The U.S. Privacy Act of 1974 provided some early oversight of the collection, use, and dissemination of information by federal agencies. Most recently, though, the European Union has led the way with data protection and privacy legislation with the passage of the General Data Protection Regulation (GDPR), which was implemented in 2018. GDPR contains strong directives for controllers and processors of personal information, and it has wide-ranging implications for all businesses selling to or collecting information from citizens in Europe. For instance, data controllers must disclose the purpose and use of collected data, and data subjects have a right to ask for their data to be erased. The California Consumer Privacy Act (CCPA) of 2018 has similar attributes as GDPR; other countries including Brazil, Japan, and Kenya have recently adopted comprehensive data privacy laws.
Businesses must not only contend with the dollar cost of data breaches, but regulatory non-compliance and reputational risks are huge liabilities. The Chief Information Security Officer (CISO) plays an essential role ensuring the protection of information assets and technology via security policies, standards, threat detection, and remediation. A Chief Privacy Officer (CPO) typically manages risks related to information privacy laws and regulations. GDPR has also led to the creation of a Data Protection Officer (DPO) responsible for overseeing the approach, strategy, and implementation of data protection.
But policies and processes are not enough. That’s where technology comes in. For many years, the model for information security was “secure the perimeter” (equivalent to barbed wire fences surrounding a prison), assuming everything inside the perimeter was safe. As the digital landscape has grown more complex, it has become clear that perimeter-based security is insufficient. Take for instance the rise of insider threats, which account for 60% of data breaches. These insiders may be current or former employees, contractors, or partners with legitimate access to privileged data who use that access to cause harm. Insiders know where sensitive data lives and often do more damage than external attackers. (This is roughly analogous to prison guards unlocking the gates.)
Enter an era known as “zero trust” in which nothing is considered threat free. This security model assumes breaches are happening and implements end-to-end continuous monitoring and response. Data is protected by authentication (to verify only authorized personnel get access) and encryption (to convert information into a secret code).
Centuries ago, the ancient Spartans and Romans used cipher text to encode secret messages sent during battle. Early encryption was based on a simple technique like letter substitution (a -> c, b -> d…) and a “key” that helped recipients decode the message. In World War II, the German military encoded transmissions using an electro-mechanical machine called Enigma; soon a Polish cryptographer – an early hacker – figured out how to crack the decryption key, thereby decoding top secret German communications and contributing to the Allies’ victory.
Since the 1970s, modern cryptography has emerged to protect all sorts of sensitive information. The RSA public-key encryption scheme is based on the concept that it is easy to multiply prime numbers but exceedingly difficult to determine prime factors. The advanced encryption standard (AES) protocol protects the transfer of data online and is used for virtual private networks and Wi-Fi. Computer-based mathematical algorithms have become more sophisticated over the years, but the basic concept remains unchanged: encrypt sensitive data so that even if hackers gain access, they can’t make any sense of it. The percentage of web traffic that is encrypted has increased from 50% in 2014 to over 90% today.
There are several innovations that take encryption to the next level. Fully homomorphic encryption allows arbitrary calculations on encrypted data. That means the information doesn’t need to be decrypted in order operate on it, keeping it protected from prying eyes. Lattice-based cryptography is safe even against large-scale quantum computers that are likely to be able to factor efficiently and pose a threat to traditional public-key cryptography. Confidential computing brings various technologies together to protect data across the entire compute lifecycle: when data is at rest (in storage or databases), in transit (moving over a network connection), and in use (during processing).
Looking back, I suppose it wasn’t wrong of my mother to guard her secrets with care. Now more than ever we all need to be conscious to protect sensitive information to prevent misuse or abuse. New regulations and technologies offer greater safeguards than ever before.