When Companies are hacked, and their customer’s personal information is stolen, they really have only themselves to blame

When Companies are hacked, and their customer’s personal information is stolen,  they really have only themselves to blame.  As a consultant who has exposure to banking, insurance, retail, pharma and social media companies, I know hacks are almost guaranteed to occur. Most companies’ have no logical plans to prevent Personal Data loss to hackers beyond ‘firewalls’, cyber security programs, virus protection, and similar well understood technologies because they fear that really protecting the data would also make that data unusable by them causing their day to day business activities come to a halt.

The truest protection for Personal Data is to make plans for its encryption.  But first companies must realize there are products available that will allow existing business application to access encrypted data with a minimum of legacy and production application modifications. Don’t fear that your prized and valuable data assets will become useless. I can personally demonstrate techniques, methodologies and products that will maintain the value of your data assets even when significant portions of the data environment remain encrypted.

Let’s not talk about GDPR and other Countries current and future Regulatory Compliances. Companies all along should have been taking the responsibility to protect their Customers Personal data.  Had their efforts been more sincere from the beginning, and had they received better conceptual direction from others, I believe companies would now not be facing such customer backlash and governmental scrutiny.  With Hackers being so much more sophisticated it’s more important than ever to direct your attention to protecting Customers Personal Data. Companies must look beyond the traditional intrusion protection technologies and look to clever methodologies coupled with encryption, decryption technologies that make the data useless to hackers while maintaining its value to the company.

That initial steps should a company take to protect themselves from punitive fines while also implementing modern design concepts that will protect the personal data in their environment.

  1. Complete a Data Protection Impact Assessment (DPIA). The first step is to understand where in the environment your company has exposed personal data. Using modern applications, the large majority of your documents, legacy data systems, emails and various data stores can be processed and understood within a few months.
  • GDPR regulators have indicated this is a primary step to demonstrate your wiliness to reach compliancy and will significantly lower any imposed fines.
  • Knowing the location of large volumes of exposed personal data will focus your efforts in the following steps.

Analyze and document current Point-Of-Sale, Analytics, AI, Marketing, Research applications etc. that use personal data. Point-Of-Sale-Video https://youtu.be/iKENBHf6L_I

  1. Analyze where in your environment you process live streaming data such as social media, third party data, IoT, and others so that plans can be made to discover and remediate personal data before it becomes data at rest. A process that certain software products are able to perform.

The above steps are most easily accomplished when using a ‘Central Repository’ where data assets of many types and structures can be held together; such as Hadoop, AWS 3, Hbase, Casandra and others.

  1. Acquire or build API’s in Spark / Kafka and preferably Java using Hadoop, Hbase and or AWS S3 frameworks and platforms for scalability.
  2. These API’s will be securely used to access, and decrypt data in the Encrypted Data environment one record, or small groups of records, at a time. The APIs will allow a company’s Point of Sale, and other customer service applications to function with just minimal modifications.
  3. For processing large amounts of data for Analytics and other similar purposes I recommend an environment that is Off-the-Grid and uses APIs to pull data from the encrypted environment and only decrypt it once it is at rest in the new environment.

If these 6 steps can be implemented, I believe you could confidently tell customers their personal data is safe, and that Regulators will be satisfied.

Take advantage of the time remaining before Regulators find technologies of their own that will identify your weaknesses in a way that would withstand scrutiny in a courtroom.  Regulators are quiet at the moment, but we believe others (like me) to be transparent, are making them aware of technologies and methodologies that will give them a distinct advantage over complacent companies.  https://youtu.be/nwwqZTY_6Gc  Steven Meister 847-791-7838 steven@gdprcompliancymaster.com




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s