Cyber Security

Businesses: Don’t forget – data protection includes personal identity

By Paul Holland, CEO, Beyond Encryption

Data is the foundation for every business, so it’s little wonder that there has been such a huge focus and overhaul of the obligations placed upon individuals and businesses as far as data is concerned.

However, for businesses that handle very sensitive information, such as financial or medical data, keeping the focus on personal identity is key.

Identity

Following the GDPR rollout on 25th May 2018, the industries’ enforcement agent, the Data Protection Office (DPO), is turning its attention from implementation to enforcement.

Even though the GDPR legislation has been active for more than 18 months, the Information Commissioner’s Office (ICO), continues to make examples of businesses that are not doing enough to protect the data they hold.

Just two days before 2019 drew to a close, the ICO levied a £275,000 fine upon a business in London for infringement of the General Data Protection Regulation (GDPR). The ICO deemed the businesses as “failing to process data in a manner that ensures appropriate security against unauthorised or unlawful processing and accidental loss, destruction or damage.”

When the GDPR regulation came into force, the ICO said they would be making examples of businesses who were not abiding by the law and businesses, small and large, are already hitting the headlines. A number of high profile cases have been reported in the media including British Airways and Marriott hotels.

Losing focus on personal identity

Whilst many businesses worry about the threat of data, and what a data breach could mean for their reputation, less focus has been placed upon identity. However, it’s likely that a cyber criminal’s pursuit of our personal and sensitive information may well be with ID fraud in mind.

Whether we realise it or not, most of our day to day activity involves identity in one way or another.

One could argue that we authenticate / validate those parties we wish to have access to our homes or offices by giving them a key which provides ‘ID verification’ to permit access.

Most of us gain access to our smart devices multiple times a day and in many cases using biometrics to authenticate our identity.

When we phone our banks, the call centre representatives will ‘challenge us’ using pre-agreed question and answer swaps before they will allow us to transact.

We identify ourselves to our desktop computers using usernames and passwords amongst other methods.

The more we realise that our personal identity is an increasingly large part of our daily life and work routines, the more important it becomes to focus on how we can improve the security around our identities.

Business and Identity

Looking at the professional services sector as an example, it’s easy to see how protecting our identity is more important than ever.

Many institutions associated with professional services have been obliged for a long time to respect confidentiality. Whether that is accounting, finance or legal firms, in its broadest sense the GDPR legislation is accompanied by requirements placed upon businesses and individuals as part of their own sector specific regulatory requirements.

In fact, financial and medical data may well be amongst the most sensitive. It’s likely that those wishing to defraud us may see greater gain when they focus upon the former.

For the financial services industry, the subject of identity in the context of data protection and process, resonates across several legislative obligations:

  • GDPR         –        General Data Protection Regulations
  • MIFIDII      –        Markets in Financial Instruments Directive
  • SM&CR      –        Senior Managers and Certification Regime

GDPR
The ICO’s published guidelines that emphasise the fact that when communicating digitally, encryption alone may not be an adequate measure.

Verifying the identity of the email recipient is equally important in fear of delivering a securely encrypted message to the wrong party whilst still enabling them to read the content.

How many of us have inadvertently sent an email to the wrong person? In most cases this simple error won’t result in any major issues but if the communication in question is carrying sensitive information, such a mistake could lead to immeasurable damage, financially and reputationally.

Encryption and ID verification are, according to the ICO, measures which should form part of a professional’s obligation to protect ‘sensitive’ data.

MIFIDII

MIFIDII includes the need to verify safe receipt and reading of sensitive financial information. Of course, such an audit requires the sender to be in a position to verify the recipient’s identity adequately if they are to satisfy such requirements.

Similarly, MIFIDII compels investment fund providers to advise customers immediately if their plan valuations drop by 10% or more – again an expedient and ID verified digital communications methodology is imperative.

SM&CR

The recently implemented and latest revisions to this legislation place personal obligations upon individual within a business, namely if a party responsible for protecting data fails to do so they can now be held personally liable!

Proving identity

In an increasingly online world, with cyber-crime increasing at ever increasing rates, proving our identity remotely presents increasing challenges.

Many financial services institutions need to interact with their clients and send them sensitive documents. Publishing such information within a portal for ‘collection’ offers one solution whilst, statistically, we each hold around 118 such login areas across our various supplier relationships. They might also use external providers to send these sensitive documents using the traditional postal service, all containing potentially sensitive information such as dates of birth, name and address – maybe even medical data, investment information or bank account details.

Re-focusing on personal identity

Thanks to technological developments, the financial services market place can now benefit from services that seek to address this issue for the product providers and intermediaries that need to ensure sensitive data is always protected.

It’s now possible to ensure that only the intended recipient can open and read email communications from a sender, allowing very little room for unwanted interception by cyber fraudsters.

Client communications and attached documents can be encrypted and sent to a recipient who’s identity is verified before permitting access. The sender is subsequently notified that their message has been safely received by the intended recipient.

Confidentiality

This secure digital communications approach has already proven to be imperative for the professional services sector. It means that sending documentation to clients is no longer attached to the worry of being targeted by fraud.

It’s time for more businesses to familiarise themselves with ways that could simply and significantly reduce the risk of cybercrime through identity fraud in their organisation.

About the author

With over 30 years’ experience in the development of web platforms for the professional service industry, Paul is the founder of Beyond Encryption. Having created the technology behind some of the country’s best-known comparison engines, Paul’s visionary leadership is the driving force behind Beyond Encryption.

Beyond Encryption

Beyond Encryption’s roots go back to 2009 when Paul Holland started investing in Mailock technology and architecture to combat the emergence of identity theft and email cybercrime.

In 2013, the first version first version of the Mailock products were delivered and in 2016, Beyond Encryption was founded to better represent the values of their products which truly go “Beyond Encryption”.

Every company in the world today has a responsibility to secure its customers’ identity and act as guardians of their information. Failure to do so goes far beyond financial loss with the impact to brand value and reputation potentially being far more costly.

Beyond Encryption is passionate about helping companies and individuals secure their most import assets online, their data and their identity.