DATA PROTECTION AND SECURITY MEASURES

A Review of Current Regulations on Data Protection, Privacy and Information Security.

__________________________________________

Emmanuel Edet

Security in IT is like locking your house or car it doesn't stop the bad guys, but if it's good enough they may move on to an easier target.
Paul Herbka

CONTENTS
2

INTRODUCTION

INFORMATION, PRIVACY, DATA PROTECTION AND SECURITY

LEGAL FRAMEWORK FOR DATA PROTECTION AND PRIVACY

FRAMEWORK FOR DATA PROTECTION AND SECURITY MEASURES

CONCLUSION

INTRODUCTION Over the last decade, information theft has become one of the fastest growing global crimes. This may be because it is cheap and easy on the part of the
3

criminals using modern technology and inadequate legislation or security measures put in place by the information holders. As of January 2010, an estimated 732.8 million computers are connected to the Internet in more than 250 countries on every continent, even Antarctica1. The internet is not a single network, but a worldwide collection of loosely connected networks that are accessible by individual computer hosts, in a variety of ways, to anyone with a computer and a network connection. Thus, individuals and organizations can reach any point on the Internet without regard to national or geographical boundaries or time of day. However, along with the convenience and easy access to information come risks. Among them are the risks that valuable information will be lost, stolen, changed, or misused. If information is recorded electronically and is available on networked computers, it is more vulnerable than if the same information is printed on paper and locked in a file cabinet. Intruders do not need to enter an office or home; they may not even be in the same country. They can steal or tamper with information without touching a piece of paper or a photocopier. They can also create new electronic files, run their own programs, and hide evidence of their unauthorized activity. Apart from the network environment, there is also the risk involved in using removable and portable storage devices. In January 2007, the NCC Group published the results of a study they had conducted into IT security2. They had sent a gift-wrapped USB memory stick to the Finance Directors of 500 UK public companies wrapped in packaging suggesting that its contents contained an exclusive "party invitation of a lifetime". More than half of the Finance Directors plugged in the USB stick into their computers which contained sensitive data and express connection to their office computer networks and even clicked on the "Yes I want to install some software" option. The NCC's comment on this was: "This demonstrates that a fundamental lack of a healthy suspicion by IT users remains even at a senior level. The need for real security awareness has never been greater. This is a serious issue amongst today's businesses and government. In this paper we will focus on the security and protection of data or information in electronic form. The first part, will consider some basic concepts related to data security while the second part will look at legal framework for data protection and privacy with a comparative analysis of the United States, Europe and Nigeria. The third part will suggest security measures, both regulatory and
1 2

Internet Software Consortiums Internet Domain Survey; http://ftp.isc.org/www/survey/reports/current/ http://www.nccgroup.com/news/view-in-the-press.aspx?id=146

technical while we will conclude by making recommendations for data protection, security and privacy in Nigeria. INFORMATION, SECURITY, PRIVACY AND DATA PROTECTION The term data means groups of information that represent the qualitative or quantitative attributes of a variable or set of variables. In other words, data on its own carries no meaning. In order for data to become information, it must be interpreted to take on a meaning3. Sometimes the terms, data protection, data security and Information security are used to represent the same concepts. However, data protection and privacy are normally used for personal data or information while information security is normally associated with securing sensitive information on the part of the information holder, usually governments and private institutions that manage data. In this paper we will use the terms in this manner. Thus information security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled4. There are three basic security concepts important to information, either on standalone computers, handheld devices or the Internet. These concepts are confidentiality, integrity, and availability. Apart from the data itself, there are concepts relating to the people who use that information and these concepts are authentication, authorization, and non-repudiation. When data or information is read or copied by someone not authorized to do so, it affects the confidentiality of that information. For some types of information, confidentiality is a very important attribute. Examples include research data, medical and insurance records, new product specifications, and corporate investment strategies. In some countries, there may be a legal obligation to protect the privacy of individuals. This is particularly true for banks and loan companies; debt collectors; businesses that extend credit to their customers or issue credit cards; hospitals, doctors offices, and medical testing laboratories; individuals or agencies that offer services such as psychological counselling or drug treatment; and agencies that collect taxes. Data or information can be corrupted when it is available on an insecure network or standalone computer. When data or information is modified in unexpected ways, it affects the Integrity of such data or information. This means that unauthorized changes are made to information, whether by human error or intentional tampering. Integrity is particularly important for critical safety and financial data used for activities such as electronic funds transfers, air traffic control, and financial accounting.
3 4

http://en.wikipedia.org/wiki/Data http://en.wikipedia.org/wiki/Data_security

Information can be erased or become inaccessible. This means that people who are authorized to get information cannot get what they need. Availability is often the most important attribute in service-oriented businesses that depend on information, for example, airline schedules and online inventory systems. Availability of the network itself is important to anyone whose business or education relies on a network connection. When users cannot access the network or specific services provided on the network, they experience a denial of service. To make information available to those who need it and who can be trusted with it, organizations use authentication and authorization. Authentication is proving that a user is the person he or she claims to be. That proof may involve something the user knows, such as a password, something the user has, such as a smartcard, or something about the user that proves the persons identity, such as a fingerprint. Authorization is the act of determining whether a particular user, has the right to carry out a certain activity, such as reading a file or running a program. Authentication and authorization go hand in hand. Users must be authenticated before carrying out the activity they are authorized to perform. Security is strong when the means of authentication cannot later be refutedthe user cannot later deny that he or she performed the activity. This is known as nonrepudiation. These concepts of information security also apply to the term information assurance; that is, legitimate users of data or information users want to be assured that, they can trust the information they use, the information they are responsible for will be shared only in the manner that they expect, the information will be available when they need it and the systems they use will process information in a timely and trustworthy manner. In addition, information assurance extends to systems of all kinds, including large-scale distributed systems, control systems, and embedded systems, and it encompasses systems with hardware, software, and human components. Privacy is an important, but illusive concept in law. A hallmark article in the Harvard Law Review in 1890 is widely credited as establishing the right to privacy as a tradition of common law5. In that article, Samuel Warren and Louis Brandeis defined that right as the right to be let alone. They argued that the right to privacy that afforded to property in common law is founded, not on principle of protection of private property, but on that of inviolate personality.
5

Samuel D. Warren and Louis D. Brandeis, The Right to Privacy, Harvard Law Review 4 (1890):193-220.

The right to privacy is acknowledged in several broad-based international agreements. Article 12 of the Universal Declaration of Human Rights and Article 17 of the United Nations International Covenant on Civil and Political Rights both state that, No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. Data protection includes deploying of measures which could be administrative, physical and technical prevent unauthorised access to data. It can be argued that the origin of the term is from legislative requirements such as the European Convention of Human Rights, and the European Data Protection Directive6and the Directive on Privacy and Electronic Communications7. Practically, it involves the protection of personal data, which covers both facts and opinions about an individual.
LEGAL FRAMEWORK FOR DATA PROTECTION AND PRIVACY

The rapid expansion in electronic communications and commerce over the past years has raised concerns all over the world about personal privacy in an electronic environment. These concerns have captured the attention of the public, the media, and policy-makers, and there is interest in developing explicit policies protecting the privacy of electronic transactions business and personal data or information. Various jurisdictions have approached the issue differently. For example there is a sharp contrast between the approach adopted by the United States and Europe. Where the U.S. approach has been to provide specific and narrowly applicable legislation, in Europe there are unified supra-national policies for the region. Most countries have implemented these policies with omnibus legislation. The European legislation outlines a set of rights and principle for the treatment of personal data, without regard to whether the data is held in the public or private sector. This part will review the development of data protection laws and policies in the United States and Europe. We will also mention the position in Nigeria, if any. There is no single law in the United States that provides a comprehensive treatment of data protection or privacy. In addition to the constitutional interpretations provided by the courts8 and the international agreements

6 7

95/46/EC Directive 2002/58/E.C OJ L201/37 8 Example; Whelan v Roe 429 US reports (February 1977) 589-604

mentioned above, there have been a number of laws and executive orders dealing specifically with the concept of data protection. Some of the specific legislation are; Childrens Online Privacy Protection Act (COPPA)9, which places parents in control of personal information collected from their children online; Fair Credit Reporting Act (FCRA)10, which seeks to promote fairness and privacy of information in the possession of consumer reporting agencies and credit bureaus that gather and sell information about consumers to creditors, employers, landlords and other businesses and Federal Identity Theft Assumption and Deterrence Act of 199811 which makes it a Federal offence to use another's identity to commit crimes. Others are the Federal Privacy Act of 197412 which require federal government executive and regulatory agencies in possession of personal records to apply basic fair information practices to those records, Health Information Portability and Accountability Act of 1996 (HIPAA) which regulates the protection and confidentiality of personal health records, Video Privacy Protection Act of 199813, which limits the conditions under which a video rental or sales outlet can disclose information about its clients, and the Personal Data Privacy and Security Act 2005 which seeks to prevent and mitigate identity theft, to ensure privacy. In Europe, there are two important supra-national policies in relation to data protection. The first is the Council of Europes Convention on Data Protection, and the second is the EU Data Directive. In contrast to U.S. privacy law, privacy protection in Europe is addressed by omnibus legislation covering both public and private sectors. That Convention recognizes the right to privacy as one of the fundamental human rights. In the late 1960s, the Councils Committee of Experts on Human Rights conducted a survey with regard to human rights and modern scientific and technological developments. It concluded that existing laws did not provide adequate protection for individuals given the developments in these areas. Several other committees examined various aspects of the problem and came to similar conclusions. In 1976, the Council established a Committee of Experts on Data Protection that reported its findings in early 1979 and the result was the Council of Europes Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. The Council of Europe Convention sets forth the data subjects right to privacy, enumerates a series of basic principles for data, provides for trans-border data flows, and calls for mutual assistance between parties to the
9

15 U.S. Code 6501 et seq 15 US. Code 1681-1681u 11 - 18 US. Code 1028 12 - 5 U.S. Code 552a 13 - 18 U.S.C. 2710
10

treaty including the establishment of a consultative committee and a procedure for future amendments to the convention14. The EU Data Protection Directive reaffirms the principals outlined in the Council of Europe Convention15. Major components of the Directive acknowledge the individuals right to privacy. The Directive sets standards for the treatment of personal data collected from individuals and for individuals rights of access, notification, and correction. Of particular interest to the United States is the Directives treatment of data transfers to countries outside the EU. The Directive was adopted in October 1995, and called for member states to bring their national privacy laws into compliance within three years. These national laws are now going into force across Europe. The absence of generic privacy legislation in the U.S. is a major concern to the EU nations; however the proliferation of privacy laws for various sectors leads to heavier regulation and tighter control. The Nigerian Constitution echoes the declarations on human rights where it provides that The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected16. Apart from this constitutional provision, there is no law in Nigeria that adequately addresses data protection, privacy or information security. An attempt was made at ensuring data protection through the draft Computer Security and Critical Information Infrastructure Protection Bill 200517. Certain sections deal with identity theft and records retention by service providers. These sections are grossly inadequate as they deal with only the telecommunications sector. Aside from this draft bill, the Financial Services Strategy Committee has recently produced a Draft Electronic Transactions Bill. The Bill seeks to create a regulatory framework for conducting transactions using electronic or other media as well as protection of personal data in Nigeria. Part IV of that Bill makes detail provisions for the following: Processing of Personal Data, Processing of Sensitive Personal Data, Rights of Data Owner, Rights of Preventing Data Processing, Liability of Data Holder, Processing on Behalf of Data Holder, and Security of Personal Data.

14

Sarah Ellis and Charles Oppenheim. Legal Issues for Information Professionals, Part III: Data protection and the Media Background to the Data Protection Act 1984 and the EC Draft Directive on Data Protection, Journal of Information Science 19 (1993):8 15 Directive 95/46/EC of the European Parliament and of the Council of 24 October on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data, Official Journal of the European Community 23 November 1995, no.L281, 31. 16 The Constitution of the Federal Republic of Nigeria 1999. 17 This Bill is still pending before the Nigerian National Assembly.

If and when the above draft bills are passed into law, it will afford Nigeria a better and proper legal framework for the protection of personal data and privacy in Nigeria. In the area of information security, there are literarily no laws or regulations. The nearest law is the Official Secrets Act 199018 which covers government secrets. However, a publication entitled Federal Republic of Nigeria Security Instructions regulates the classification of information within the Nigerian Government. Chapter 9 of the Civil Service Handbook provides for the grading of documents. Specifically Paragraph 43 Page 67 states Officers dealing with secret files must each be provided with a filing cabinet fitted with a bar and special lock (six-lever padlock) so that all secret papers may be kept securely when the officers are not in their offices. This certainly cannot be applied online.
FRAMEWORK FOR DATA PROTECTION AND SECURITY MEASURES

An adequate framework for data protection and information security requires at least two areas of intervention. These areas are the legal and administrative. Aside from the above mentioned areas there is also the need to adequately educate those who deal with sensitive data in organisations on the Dos-andDonts in the area of Information protection and security. Legal Framework As our economic sector continues to grow, businesses and governments have become increasingly reliant on ICTs to ensure efficiency and profitability. This means that information has become the main stay of our economy. In modern times, people are paid more for what they know than what they can do. Therefore information is more valuable today than ever. There is therefore a need to enshrine laws that will protect this valuable commodity. In many advanced economies there are laws that ensure that any person handling sensitive information must put in place adequate measures administratively to ensure that the information in his or her possession is adequately protected. A proper legal framework should contain certain features such as: 1. Definition and classification of various types of data; 2. Provision for the rights of individuals whose personal data is used by another party in the natural cause of business activities; 3. Regulation of persons in possession of personal data of other persons;
18

Laws of the Federation of Nigeria 1990

10

Regulation of the way and manner which certain sensitive information are managed; 5. Regulation of the use of personal data by law enforcement agencies; and 6. Ensuring proper administrative measures are put in place to ensure data is properly protected by any organisation.
4.

It is therefore necessary for the government to enact laws that will cover the areas mentioned above. Administrative and Technical Framework Security of the data in an organisation is very important because it may be the livewire of the organisation. It needs to be kept from unauthorised access, alteration and from loss. Threats to such information could come from internal sources within the organisation, external sources or both. While we wait for the enactments of laws it is also necessary to put in place adequate administrative and technical measures such as physical and remote access, encryption other forms of technological solutions. In this era of information technology the confidential secretary is no longer the sole custodian of confidential information. The network engineer, the scanning machine operator, and the office cleaner now have equal opportunity and access to confidential information. Todays working lifestyle typically means data is mobile and carried across a multitude of devices including desktop PCs, laptops, notebooks, smartphones, PDAs, USB drives and CDs, and not just those meant to carry data essentially any kind of endpoint computing device such as iPods, MP3 players and even digital cameras can be used to move large amount of data. Administratively, restriction of physical access to devices and equipments that contain sensitive data goes a long way to filter unauthorised access. Simple measure such as security guards, the use of door access cards or biometrics to restrict the access of some employees works efficiently and serves as deterrent to would be violators. Also deploying of security cameras in data storage facilities ensures video records in case there is a need for investigations in future. Also while considering administrative solutions, rules, guidelines and regulations should be adopted for the users who have access to data and the application of technological solutions for the protection of the data. The rules should cover areas such as: Awareness
11

Responsibility of various users Risk assessment Security management Design and implementation of network

In deploying technical solutions, it should be noted that data security as a static problem. A better way to view data security is as a lifecycle, which can be broken down into four phases of data security. Detect: Any personnel in charge of data security should first of all locate where the data is stored or can be stored. Protect: The next stage in the lifecycle is to enforce protection of the data irrespective of where it is stored. Manage: Not only does data have to be protected, but also it will be necessary to provide management, audits, reports, etc to prove that protection was in place in the event of a theft. Support: Users forget passwords; data has to be recovered from discarded media; etc. Technical solutions should not focus on just a single device or what appears to be the most obvious target. The aim of the protection is not a device but rather the data contained in the device thus the data should be the focal point of any security solution applied. Data is data irrespective of its location. In todays office environment every staff own a personal data storage device which is often hooked unto the office data storage equipments. These personal storage devices are of often used for legitimate reasons, but can be misplaced while it contains critical data. It is therefore necessary to regulate how handheld devices are used in your network or computer. It is not enough to simply tell people not to do something; you have to make sure that they cant do it. It is also important to examine any security solutions impact on your existing operations within the enterprise. Always choose a solution which does not require any change operational processes, yet still provides full data protection. It is imperative that any data security solution deployed should include the ability to uniquely protect individual users data and separate the role of system administration and security administration, without interfering with the other operational processes

12

Finally any solution that is applied should be scalable. A good security solution should be able to accommodate additional devices or a rapid growth and expansion on the network. It is not advisable to rely on applications to do all the work for us or throw money at the data security problem and hope it will go away. A holistic layered approach to security is far more powerful than the fragmented practices present at too many organisations. Think of your network as a municipal transit system. The system is not just about Bus Stops and the roads. Cars, traffic lights and passengers are equally critical components. Many organisations approach security as if they are trying to protect the bus stops, and by focusing on this single detail they lose sight of the importance of securing the flow of information. It is critical to take time from managing the crisis of the moment to look at the bigger picture. One size doesn't fit all in security so assess the data flow and risk environment within your organisation and devise a comprehensive plan to manage information security that dovetails with business needs. A data protection-driven holistic plan is the only way to truly secure data in any establishment. CONCLUSION In concluding, Nigeria is lagging behind in the area of Information security, data protection and privacy. Most countries are building a legal environment to ensure that sensitive data is protected which in turn encourages foreign direct investment in areas such a business process outsourcing. There is therefore a dire need for the establishment of a legal regime for data protection and privacy in Nigeria. In the area of information security, the best way for organisations to meet their data protection obligations is to understand the information flows and uses within their business environment. A systematic risk based approach which matches the data monitoring and protection capabilities of the organisation with the risks associated with the loss of information based on its sensitivity and value and its likely impact to the individual and the organisation is increasingly important. Security policies, processes and technology are all part of the operational risk management process of identifying, monitoring and controlling information security breaches which may cause highly public exposure embarrassment as well as loss to an organisation and its Stakeholders.

13