Print this chapterPrint this chapter

How Data Informs Business

Policies for the Data Economy

Data Security

On March 22, 2018, the U.S. city of Atlanta was hit by the dreaded SamSam ransomware attack, which brought the city's ICT systems to a halt. Utilities could not collect bill payments, citizens could not pay traffic tickets, the police had to note complaints by hand ­– the city's digital apparatus essentially stopped functioning and many departments and agencies lost several years of data. Unfortunately, this was not an isolated incident. In India, a journalist was able to obtain unauthorized data from Aadhar, the national digital identification system. And in Mexico, web users were surprised to discover that the voter data of more than 93 million Mexican citizens was easily accessible online even though the information was classified as confidential.

It is evident that "not all data is created equal". Most data is likely of low value, with more limited amounts of medium value, let alone high value. And risk varies across types of data assets too. From a business's perspective, it makes little financial sense to spend as much protecting all assets regardless of their value or the risks they face. Such a requirement could impose a crippling financial burden. At the same time, most organizations lack the skills to properly audit their data assets and thus end up with "orphan assets" littered across systems whose value is less than the cost of controls to protect them. What organizations should focus on, at a minimum, are their "extraordinary assets" critical to them as well as data for which costs or breaches of privacy rights could be significant should the data become public. If protecting everything equally is not an option, taking this risk management approach should safeguard against deprioritizing sensitive data that is of low financial value to a firm that holds it.

A recent report found significant vulnerabilities in more than three-quarters of applications used by the federal government in the United States . Numerous reasons appear to explain this:

  • Poor data management processes ­– including inconsistent response, unresolved issues, notification practices, and lack of data encryption practices

  • Legacy systems and old software ­– still in use in many government organizations

  • Poor capacity and skills ­– due to government's inability to attract top-drawer data-security talent

  • A low priority afforded to security when making technical infrastructure investments ­– in a recent study, respondents showed a marked preference for investments in network security and end-point security over investments in data-at-rest security

Data security is not only about ICT; it should also cover "analog" aspects of security (such as vetting of staff and physical access to control buildings). Countries use policies as a tool to manage risks and help respond to actual incidents. Data security policies can be in different kinds of laws, including cybersecurity and data protection laws. Governments have to consider leading by example and applying themselves to strong data security measures, in addition to what they expect from the ICT industry.

The OECD identified the main common principles for information security in their Guidelines for Information Security and Networks in 2002 and updated them in the OECD Recommendation on Digital Security and Risk management; these principles were further spelled out in the Madrid Declaration. They emphasize risk management, awareness raising, having a preparedness and continuity plan to respond to incidents, and adoption of security measures to avoid data corruption, loss, misuse, or unauthorized access. They also highlight stakeholder cooperation, including across borders, given that most incidents have a multi- country footprint. Robust cybersecurity policies, targeting the vulnerability of IT systems, infrastructure, and networks beyond data, should complement data security policies. Different international initiatives have produced or are producing guidelines on cybersecurity.

For consumers, one of the rising trends is to request data breach notifications. Breach notifications can be useful to consumers when their data has been compromised or lost, since a notification allows them to take corrective action as needed. Different countries have different requirements for breach notification, and the main differences are the triggers and timeline for notification. The triggers determine what level of breach is required in order to notify consumers and can rely, for instance, on the sensitivity of the information accessed and the likelihood that it will be misused.

In a report on data-driven innovation, the OECD recommends that organizations establish a systematic framework of digital security risk management processes and weld it together with the data value cycle (figure 6.3). In this framework, the criteria for determining the level of security are based on the acceptable level of risk to the economic and social activities at stake and not the likelihood of threat. Such an approach is premised on the primacy of data as a socioeconomic asset that justifies the move from a culture of security to a culture of risk management.

Figure 6.3 Digital security risk management cycle