Today marks the fifth anniversary of GDPR going into effect, a good time to step back and look at the intrinsic purpose of this European Union (EU) regulation. It originally replaced a previous 1995 data protection directive across various EU countries because of the understanding that data protection laws and initiatives were woefully weak. As data became the common currency of a more connected world, there was a need to enforce (regulate) a basic principle of humanity. And that principle was trust.
For all time, trust within the family unit, marital unit, occupational unit, and societal unit has offered a basis for harmony. And when wounds are inflicted upon trust, love and mutual respect are likely to wane. Therefore, in terms of trust in our modern world, GDPR enforces the concept of “make trust–or else.”
So how do we define trust in the context of personal data? It’s as simple as, I trust my data will:
- Remain private.
- Remain secure.
- Not be sold or shared.
- Be destroyed, upon request.
And in the case of Ireland recently smacking Meta with a $1.3 billion fine over GDPR data privacy violations, they are really punishing Meta because the large tech company violated an assumed trust contract with their user community. And being suspected, accused, tried, and sentenced for violating trust and/or misrepresenting privacy practices comes with a hefty price.
In the early days of the internet, people relied on trust, but a little differently than they do now. Back then it was, “On a good day, I trust my internet connection will work, my emails will get delivered and received, and my payments made.” Today, most of us trust these tasks will happen, but our demand for more trust has certainly risen over time.
Now, let’s compare information security to the trust paradigm we just mentioned. In a world where the new buzzwords are, “zero-trust, trust but verify, don’t trust and always verify, verify everything, and/or don’t trust anything”, most people realize that there’s a serious lack of trust in terms of their money, data, and privacy. And if we're honest, we have lots of work to do to restore trust in a system that’s inherently broken at many levels.
For example, let’s look at ransomware. Every day, organizations of all kinds trust their operations will continue to hum right along, but when they fall under a ransomware attack that trust is broken because their basic understanding of it gets upended. “I trusted I could do my job, serve my customers, and generate a positive outcome, but now, that’s not possible.” Take the city of Dallas for example. Local news reported that its citizens are still being impacted by a ransomware attack that began weeks ago. So how long will it take for city officials to regain the trust of the community? Several years.
And if you look at the entire cybersecurity industry, community, product manufacturers, technology innovators, and experts, they all exist to establish, maintain, and prove that customers can “trust” their products.
The whole issue around Meta and the accompanying penalty are all about a violation of the “trust contract.” People join this social media outlet not only to connect with friends and family, but they also believe they can do that safely in the context of their data. And when a company knowingly (or unknowingly) causes a breach of that basic trust, it usually doesn’t result in more profits for the company. In fact, it’s the exact opposite.
Therefore, I would like to petition the entire world of high-tech, and all organizations that rely upon it. Build trust: everywhere. The company’s balance sheets will look much better because of it.
Stephen Gates, Principal Security SME, Horizon3.ai