It is evident that information in the modern world is considered important in numerous relevant aspects, for example, in the organizational scope its importance lies in its accuracy, how useful it is for decision making and for its uniqueness to provide a competitive advantage. Therefore, data, in an organizational aspect has become one of the most important assets.
In other cases, information is essential to carry out everyday operations in a smooth manner. Data at modern organizations have become increasingly sensitive, considering they may have customer information that is confidential and the risk of losing it may result in severe ethical and legal consequences. For this reason, the protection of personal data has become relevant in recent years. Especially after scandals in recent years such as that of Equifax, Yahoo, Facebook, Uber, Cambridge Analytica, etc.
Personal Data and Security Breaches
Due to the importance of data and the benefits that it brings to cybercriminals, who seek to get access to it, we continuously observe these criminals breaching the security gaps and loopholes in cybersecurity companies, in which different vectors of attack are used to achieve malicious purposes.For example, in 2014 there were known cases of leakage of information related to Point of Sale malware, in companies such as Target, Home Depot and UPS, where the attackers managed to obtain the numbers of more than 40 million credit and debit card users. Companies like eBay or Yahoo! also felt the need to notify thousands of users that their accounts and passwords had been filtered through an attack. It has been situations like these that have helped in the development of the cybersecurity sector as we know it today. According to a report by Forbes, cybersecurity will become one of the most important jobs in the world by the end of 2019.
“What we should actually be doing is thinking about what are our key controls that will mitigate the risks. How do we have those funneled and controlled through the team that we have, how do we work through that in a well formatted, formulated process and pay attention to those controls we have chosen? Not a continual, add more, add more, add more.” — Dr. Chris Pierson, Chief Executive Officer at Binary Sun Cyber Risk Advisors, SecureWorld Charlotte
In 2015, other industries were also affected, such as the case of Community Health System (CHS) in the United States, which was the victim of a hack that compromised 4.5 million medical records. According to the entity's statement, their systems were victims of an APT. Another of the best-known cases in the year was the theft of confidential data of Ashley Madison, an online dating site specializing in extramarital affairs, which put its 37 million users in potential danger.
Regardless of the activities of companies, the industry to which they belong, their size or geographical location, and regardless of the attack used to affect them, the most common consequence is usually the leakage of information, which directly affects the image of organizations. This list includes companies, governments and other entities, negatively impacts thousands and even millions of users.
For these reasons, laws have been issued in different countries for the protection of personal data, which must be met by entities of the public or private sector that deal with personal information. The protection of data is a civil right, which provides the power to control at will the personal information of each individual, which is stored, processed or transmitted by third parties.
Definition and Classification of Personal Data
Personal data means any information concerning and associated with a person, which allows to identify them. These data characterize us as individuals and determine our activities, both public and private. Because each piece of information is directly related to people, each person owns their personal data and is the one who decides whether to share them or not.Among these data are those that identify the person, or those that allow communication with the owner. Also, data related to employment, about physical characteristics such as physiognomy, anatomy or traits of the person falls in the category. In addition, it considers information related to training and professional activities, data related to its assets, as well as biometric information.
Some personal data may be more sensitive than others. This category includes those that involve the private sphere of the owner, whose improper use could lead to some negative impact, such as discrimination. They include aspects such as ethnic origin, health status, religious beliefs, sexual preference, affiliation or political opinions.
The Importance of Protection of Personal Data
The diversity of information that can be associated with a person is wide, the data considered as personal are used for many daily activities. This expands the range of options for cybercriminals who seek to profit from the information, since technological means are now used to commit crimes, and it is at this point that information security becomes relevant, especially because each security breach related to an information leak has different consequences. These consequences are based on the data that is stolen, the type of company that has been affected, as well as the industry to which that organization belongs.
Because of the above reason, and because the personal data belongs to the owner and not to the entities that have it stored in their databases, initiatives have been launched around the world, which seek to protect personal data that are in possession of individuals or governments, making the task of information protection a shared responsibility among users, companies that have access to data and governments that must legislate, and create institutions responsible for regulating and enforcing laws.