The fall-out from Safe Harbour and other security predictions for 2016

As we look back on an eventful 2015, business leaders will be reviewing their plans for the new year. Given the hacks on businesses and government agencies, a theme that will carry over into 2016 is how organisations can better protect sensitive data from cybercrime and unwelcomed surveillance.

As we have seen this year, threats to data are constantly evolving. Companies that simply react to threats are likely to be left scrambling, hastily deploying reactive measures that may not serve them in the long term. Meanwhile, the negative publicity and financial penalties following a disclosed breach are compelling organisations to put a proactive approach to data protection as a top New Year’s resolution.

When it comes to data protection, the European Court of Justice's (ECJ) October suspension of the 15-year old EU-US Safe Harbour agreement has set up a conundrum for the thousands of businesses that relied on the pact for transferring personal data across the Atlantic. The ECJ contended that pervasive surveillance by US intelligence agencies jeopardizes data privacy, which invalidates Safe Harbour. This was compounded with the problem that EU citizens had no means of legal recourse against the misuse of their data in the US.

The implications of this ruling are particularly enormous given the lack of guidance on next steps for organisations caught in the middle. A replacement for Safe Harbour has been under negotiation for the last two years, but until it is complete, companies are operating in uncharted territory. Even after much haggling in 2016, there is no guarantee that DC, Brussels and the 28 independent EU DPAs will finally agree on a new privacy framework.

This void doesn’t mean that companies can no longer transfer data. But there aren’t any guarantees that the measures that companies do take will be approved by the different entities involved. There is also no clear indication of the potential damages companies might face if their security measures are not deemed inadequate.

There are alternatives to Safe Harbour that companies can adopt, mainly model contract clauses and binding corporate rules. But these legal band-aids are problematic. They are complicated and expensive to implement. Worse, early signs indicate they may not stand up to European regulators’ scrutiny. German DPAs have already announced model clauses are unacceptable and have refused to authorise any transfers based on these measures.

The contentious history behind the first pact will almost certainly create delays in the negotiations in 2016, leaving companies to rely on proactive security tools to assure high levels of privacy for cross-Atlantic data transfers. Already, there is an uptick in organisations that are turning to technology to limit exposure using encryption and or tokenization to anonymize data leaving Europe.

In addition to Safe Harbour, other 2016 predictions include:

  • Breaches will see companies disappear – Trust is fundamental to business. But security breaches break the bond between a company and its customers. Once this trust is broken, it is hard to rebuild. The Ashley Madison breach earlier this year put its IPO on hold and more recently TalkTalk’s resulted in a 15 per cent stock decline. The combination of notification laws and the coming EU Data Privacy Regulation will result in more companies being named and shamed when breaches occur.
  • A rise in senior security appointments (and budgets) – Given the high profile data breaches and security attacks on businesses this year, we will almost certainly see many more senior appointments with “security” or “risk” in the title. This will go hand in hand with an increase in security budgets, particularly at large enterprises. For instance, JP Morgan has already doubled its security spend to $500 million. Home Depot, Neiman Marcus and Target are among a new crop of global brands that have appointed their first-ever CISOs
  • The age of encryption – Attacks on Ashley Madison, Sony and TalkTalk revealed that these companies simply fail to implement basic security procedures. Encrypting sensitive data would have protected millions of customers’ information from a public leak in Ashley Madison’s case, and would have prevented embarrassing emails from ending at least one Sony executive’s career. TalkTalk’s CEO was quick to point out that the company was under no explicit obligation to encrypt customer data, and then its share price dropped immediately after its latest breach. Encryption will become a byword for security best practice.
  • The year of the CASB – Regulatory focus on security, privacy and sovereignty will see cloud access security brokers (CASBs) come into their own. Companies will need to protect information across the entire IT stack and CASBs deliver the core technologies that secure data in the growing cloud applications stack.

Pravin Kothari, founder and CEO, CipherCloud

Image Credit: Shutterstock / LeoWolfert