Muneeb Imran |
Recent weeks have been marred by the stories of ‘Data Breaches’ in various banks of Pakistan where data theft took place of more than 19,000 cards spread over 22 Pakistan’s banks. The data was later released on Dark Net in the form of two dumps with price starting from 100 USD each.
It is no brainer that Data has become one of the most valuable assets for Organizations & States which poses significant governance challenges for organizations. We as individuals are providing our information on various fronts, whether through electronic means or by conventional means. Regardless of the means by which the data is provided, our data does get to the digital shores and once it reaches the digital shores, it begins to pose privacy, confidentiality, integrity, and availability challenges.
In addition to this, there are no provisions for ‘Mandatory Breach Reporting’ which is an essential part of protecting Regulated Personal Identifiable Information (Regulated PII).
Think of a simple Complete Blood Count (CBC) Test that you undertake and the Hospital informs you of providing those medical reports from their official website, such information in the security realm is considered as Personal Health Information (PHI) and is amongst the most-sought-after data by attackers. Similarly, when we visit a bank to open a bank account, we may not always be providing our data through digital platforms but it definitely does end up being in digital stores of the organizations.
Such data is considered Personal Identifiable Information (PII) and is again the most valuable data which attackers are always planning to acquire. Mandiant Consulting in the recent report, M-Trends for the Year 2018 identified financial sector and health sectors amongst the attractive targets for Cyber Criminals.
To deal with such challenges, countries have established overarching ‘Data Protection laws’ which regulate industries and businesses that collect, process or store personal data in any form. Any organization that intends to collect the personal data (particularly sensitive data) from its users is required to seek users’ consent, notify the users of purpose of data collection and where it will be used and ultimate responsibility of the data protection lies with the organization collecting the personal information which in the security realm is considered a “Data Collector”.
EU has put forward the most stringent privacy law named as “General Data Protection Regulation – GDPR” which considers the privacy of personal data as a basic human right and prohibits the processing & storage of EU citizens’ data in countries outside Europe or in countries that do not conform to the EU GDPR. Similarly, Australia has its Australian Privacy Principles that provide guidelines to privacy compliance. Though the United States does not have an overarching privacy law it does have “Acts” in place to protect PII or PHI like Graham Leech Bliley Act & HIPAA. Other countries like Argentina, Switzerland, Israel, and Japan have also developed their data protection laws.
It is incumbent upon organizations operating under established privacy frameworks to report to Data Protection Agency/ relevant bodies when a breach upon their regulated PII has taken place.
Responding to the gravity of the situation, Pakistan’s Ministry of IT & Telecommunications (MoITT) in 2018 drafted a bill with the name of “Personal Data Protection Bill 2018” which can be found on their website and is still open for debate.
The act has provisions to safeguard the personal data in line with the same principles of EU GDPR where a user’s consent will be sought and will be notified of the purpose of collection and processing and along with this the data subjects would also have the right to correct the personal information stored with organizations that collected their data along with other rights enshrined in the Bill itself.
The Act will establish a data protection agency as National Commission for Personal Data Protection (NCPDP) which will act as an enforcement arm of the bill. The commission will be autonomous but would have its commissioners appointed by the Prime Minister of Pakistan. One of the core responsibilities of the commission would be to receive and decide complaints with regard to infringement of personal data protection including violation of any provision of this Act.
Though, Data Protection Bill is a good starting point that encompasses various aspects of privacy framework which will be incumbent upon organizations to comply with, however it does not explicitly mention the industries/sectors to which it will apply upon. In addition to this, there are no provisions for ‘Mandatory Breach Reporting’ which is an essential part of protecting Regulated Personal Identifiable Information (Regulated PII). It is incumbent upon organizations operating under established privacy frameworks to report to Data Protection Agency/ relevant bodies when a breach upon their regulated PII has taken place.
With such high volume of personal data that is up for grabs, due to a lack of a regulated privacy framework, it is extremely necessary for Pakistan to enact its Data Protection Bill at earliest but after carrying out due diligence.
Muneeb Imran is a data solutionist, Information Security Engineer by Profession in Multi-National Telecommunication Organization based in Saudi Arabia. He is an active reader with a deep interest in information security, foreign policy, International Relations, and Cricket. The views expressed in this article are authors own and do not necessarily reflect the editorial policy of Global Village Space.