We now operate in a world where the security of data is as important as the physical security of people, or that of the buildings and infrastructure where we live and work.
As technology becomes yet more pervasive, we are storing and processing more and more data about individuals, clients, employees and assets, and using it for an increasing number of purposes. While many jurisdictions already have specific laws to protect personal data – the General Data Protection Regulation (GDPR) in the EU being an important example – as RICS professionals we also need to consider the way sensitive data about clients and organisations is managed and protected.
Is this a question of technology, processes and procedures; or, more fundamentally, an issue of conduct and ethics that is central to being an RICS professional?
"As RICS professionals we need to consider the way sensitive data is managed and protected"
An ethical duty
While legislation such as GDPR and the contractual agreements you have with clients together define how personal and commercial data should be processed and protected, we have an ethical duty to manage and protect all kinds of data to the highest possible standards.
This responsibility falls on us all at every level of any organisation, irrespective of its size, the sector in which we work, or the country in which we practise. The question we should ask ourselves is how we would want a third party to manage and protect our data.
In addition to the fundamental ethical imperative, there are strong practical reasons to manage and protect all kinds of data in order to protect our customers, organisations and profession from financial loss, reputational damage and business interruption.
All the same, there is an ever-increasing list of parties using an evolving set of approaches to access data, intercept and change payee details, and otherwise damage, infect or extract ransom payments from us.
- unskilled individuals using code developed by others, often referred to as script kiddies
- hacktivists
- organised criminals
- state proxies
- nation states
- business insiders.
Recent cases around the world highlight the risks to reputation and business continuity as well as the potential for financial loss that can be caused by hacking. These also stress the risks associated with using third-party suppliers to provide shared web hosting and other services, with devices that form the ever-growing internet of things (IoT).
When, not if
As former FBI director Robert Muller stated at a 2012 conference on cyber security, ‘I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.’
There is an ever-increasing number of examples of large companies’ data being targeted. Customers of US retailer Target had their data stolen via the credentials of one of its heating, ventilation and air conditioning suppliers, who had access to the company’s network. In the UK, TicketMaster and British Airways (BA) both suffered data breaches, with customer credit card data being stolen.
As a consequence, BA could be fined £183m by the Information Commissioner’s Office, and TicketMaster is facing a multi-million-pound lawsuit. In the latter case, the breach occurred via a third-party chatbot service, and when BA’s website was penetrated customers were also redirected to a malicious external website that harvested their credit card information.
In Norway, aluminium and energy producer Norsk Hydro suffered a ransomware attack early in 2019 that seriously affected its computer networks and reportedly cost the firm some $52m.
It is also important to note that hackers do not always seek ransom or phish for credit card details but can be damaging in other ways. In one instance, an attacker gained access to an IoT device in a warehouse and raised the temperature of the cold storage unit, resulting in the unplanned defrosting and spoilage of the contents.
- customer and commercial: this includes the way you use data for services and marketing, how you process it and use it to manage contracts, and how you delete data on request
- employer and employee: this covers use of personal data and how you deal with people’s requests to access their data
- crisis management: what are your data breach protocols, and how do you tackle theft or unauthorised issue of personal and other data.
How far we may insure the risks is perhaps an obvious consideration, but still important. As with all insurance there is a danger that protection from losses creates a moral hazard; but cover can provide a useful discipline for organisations and a source of support when putting technology, policies and procedures in place, as well as in the event of an actual data breach.
Policies and premiums come at a cost, and insurers will look for evidence of your existing technology, processes and procedures. Insurance is unlikely to cover fines by regulators and there are question marks over its use to pay ransomware demands.
Indeed, the legality of such payments is doubtful given that many of those demanding a ransom may be linked to terrorist organisations, and the Terrorism Act 2000 explicitly makes such payments illegal in the UK.
It is essential to recognise that this is an issue of when, not if, and that it needs to be the responsibility of a firm’s board or principal to deal with it.
You should assemble your cyber-response team – even if it consists only of you with support from professional advisers – with legal, senior executive, IT, information security, risk and compliance, PR and HR departments all involved as well. Your plans and communications should not depend on your current systems either, because in the event of an attack these themselves may also be compromised.
GDPR's impact
Your plans should address both personal data and all other sensitive data. GDPR has been in place for almost two years now and its impact has been immediate and wide-ranging; for instance, a Swedish high school attracted fines and other sanctions under the regulation for using CCTV and facial recognition technology on its pupils. Since GDPR protects EU and EEA nationals wherever they reside and covers all data processing in the EU and EEA, its effects are felt beyond Europe itself, with firms around the world recognising their responsibilities to EU citizens.
Other jurisdictions are setting the bar for personal data handling at similar levels, with legislation coming into force at state level in California early this year, for instance.
The box below details the factors you should therefore consider when making your plans. While some of these relate to technology and infrastructure, many concern processes, documentation, education, and working closely with suppliers to ensure that data is protected at every stage. Although cyber crime is the new normal, many of the common-sense approaches we already use for physical security can be applied digitally.
Related competencies include: Data management, Ethics, Rules of Conduct and professionalism
Data protection plans: key considerations
- Assessment and documentation of any potential risks to both personal and client data
- Defining and maintaining a data retention policy
- Understanding and recording the purposes for which data is being collected and held
- Understanding and documenting data processing procedures
- Understanding where data is recorded, and all the jurisdictional requirements that apply
- Managing relationships with third parties that process data on your behalf
- Appointing a person responsible for enquiries and controls
- Ensuring employees follow your controls, policies and procedures
- Devising passwords that are difficult to guess
- Use of firewalls and anti-malware and anti-virus tools
- Use of encryption for personal information and cardholder data during transmission
- Use of multiple methods for validating payment details to prevent fraud
- Ensuring personal and client data is protected from unauthorised access, whether it is stored digitally or in physical form
- Ensuring data is backed up regularly
- Ensuring acceptable use of client data through contractual clauses
- Ensuring that any use of third-party data is licensed
- Ensuring consent is obtained for storing and processing data, and that this can be demonstrated
- Ensuring that appropriate regulators are notified should a significant data breach occur
- Ensuring where necessary that affected data subjects are notified of a significant breach