Information in the modern world is considered necessary in numerous relevant aspects; for example, in the organizational scope, its importance lies in its accuracy, usefulness for decision-making, and uniqueness in providing a competitive advantage. Therefore, data, from an organizational aspect, has become one of the most critical assets.
In other cases, information is essential to carry out everyday operations smoothly. Data at modern organizations have become increasingly sensitive, considering they may have confidential customer information, and the risk of losing it may result in severe ethical and legal consequences. For this reason, personal data protection has become relevant in recent years, especially after recent scandals like that of Equifax, Yahoo, Facebook, Uber, Cambridge Analytica, etc.
Personal Data and Security Breaches
Due to the importance of data and its benefits to cybercriminals who seek access to it, we continuously observe these criminals breaching the security gaps and loopholes in cybersecurity companies, in which different vectors of attack are used to achieve malicious purposes.For example, in 2014, there were known cases of leakage of information related to Point of Sale malware in companies such as Target, Home Depot, and UPS, where the attackers managed to obtain the numbers of more than 40 million credit and debit card users. Companies like eBay or Yahoo! also felt the need to notify thousands of users that their accounts and passwords had been filtered through an attack. Situations like these have helped develop the cybersecurity sector as we know it today. According to a report by Forbes, cybersecurity will become one of the most essential jobs in the world by the end of 2019.
“What we should actually be doing is thinking about what are our key controls that will mitigate the risks. How do we have those funneled and controlled through the team that we have, how do we work through that in a well formatted, formulated process and pay attention to those controls we have chosen? Not a continual, add more, add more, add more.” — Dr. Chris Pierson, Chief Executive Officer at Binary Sun Cyber Risk Advisors, SecureWorld Charlotte
In 2015, other industries were also affected, such as the the Community Health System (CHS) case in the United States, which was the victim of a hack that compromised 4.5 million medical records. According to the entity's statement, their systems were victims of an APT. Another of the best-known cases in the year was the theft of confidential data of Ashley Madison, an online dating site specializing in extramarital affairs, which put its 37 million users in potential danger.
Regardless of the activities of companies, the industry to which they belong, their size or geographical location, and the attack used to affect them, the most common consequence is usually the leakage of information, which directly affects the image of organizations. This list includes companies, governments, and other entities that negatively impact thousands and even millions of users.
For these reasons, laws have been issued in different countries for the protection of personal data, which must be met by public or private sector entities that deal with personal information. Data protection is a civil right that provides the power to control at will the personal information of each individual, which is stored, processed, or transmitted by third parties.
Definition and Classification of Personal Data
Personal data means any information concerning and associated with a person, allowing us to identify them. These data characterize us as individuals and determine our public and private activities. Because each piece of information is directly related to people, each person owns their personal data and is the one who decides whether to share it or not.Among these data are those that identify the person or allow communication with the owner. Also, data related to employment about the person's physical characteristics, such as physiognomy, anatomy, or traits, falls in the category. In addition, it considers information about training and professional activities, data related to its assets, and biometric information.
Some personal data may be more sensitive than others. This category includes those involving the owner's private sphere, whose improper use could lead to some negative impact, such as discrimination. They include ethnic origin, health status, religious beliefs, sexual preference, affiliation, or political opinions.
The Importance of Protection of Personal Data
The diversity of information associated with a person is vast, and the data considered personals are utilised for many daily activities. This expands the range of options for cybercriminals seeking to profit from the information since technological means are now used to commit crimes. At this point, information security becomes relevant, mainly because each security breach related to an information leak has different consequences. These consequences are based on the data stolen, the type of company that has been affected, and the industry to which that organization belongs.
Because of the above reason, and because the personal data belongs to the owner and not to the entities that have it stored in their databases, initiatives have been launched around the world that seek to protect the personal data of individuals or governments, making the task of information protection a shared responsibility among users. These companies have access to data, and governments must legislate and create institutions responsible for regulating and enforcing laws.
