In light of the recent cyberattack on the Telecommunications Services of Trinidad and Tobago (TSTT), a pressing conversation has surfaced regarding the necessity and safety of storing customers’ personally identifiable information (PII) by companies. The unauthorized disclosure of sensitive data, including passport details, national ID, and driver’s licenses, not only raises concerns about the immediate impact on affected individuals but also invites a broader discourse on the principles of data governance and privacy in an increasingly digital world.
Why Do Utility Companies Store Customer Identification?
Historically, companies have maintained records of customer identification documents to fulfill regulatory requirements, ensure accurate billing, prevent fraud, and facilitate the recovery of debts. This information serves as a cornerstone for establishing trust between the service provider and the consumer. However, the retention of such data presents an attractive target for cybercriminals, as evidenced by the recent breach of TSTT.
Is Long-Term Storage of PII Necessary?
The fundamental question arises:
Can the information simply be used to verify the identity of a customer and not be stored long-term by the provider?
From a customer’s standpoint, the less data a company retains, the lower the risk of that information being exploited in the event of a data breach.
Current Data Privacy and Governance Laws
Under modern data privacy and governance laws such as the General Data Protection Regulation (GDPR) in the European Union and similar frameworks elsewhere, the principles of data minimization and purpose limitation are key. These principles dictate that only the data necessary for the completion of a given purpose should be collected, and it should not be retained for longer than necessary.
Given these regulations, it’s imperative to question whether the traditional practices of companies align with the best interests of consumers’ privacy and data protection. Should these entities still store such comprehensive customer documents?
Alternatives to Traditional Data Storage Practices
In seeking alternative methods to onboard customers onto their platforms, companies could explore the following options:
- One-Time Verification: Instead of storing PII, companies could verify the documents and then dispose of the copies, retaining only the verification result and a unique identifier for the customer.
- Data Encryption: For any data that must be stored, strong encryption can ensure that, even in the case of a breach, the information remains unreadable and useless to unauthorized parties.
- Decentralized Identity Verification: Leveraging blockchain technology, customers could store and control access to their PII, granting temporary access to companies for the purpose of verification without the need for the company to retain the data.
- Third-party Verification Services: Outsourcing identity verification to third parties that specialize in data security could reduce the amount of data companies need to manage directly.
- Biometric Verification: While also sensitive, biometric data used for identity verification could eliminate the need for storing traditional PII. This method, however, introduces its own set of privacy concerns and should be approached with caution.
Integrating compliance with established industry standards like ISO/IEC 27001 into Trinidad and Tobago’s approach to enhancing its data governance and privacy framework is a strategic move that can bolster the country’s cybersecurity posture.
The state of Trinidad and Tobago, like any government seeking to enhance its data governance and privacy framework, can take several steps to address the vulnerabilities and challenges highlighted by the cyberattack on its telecommunications services.
Mandating ISO/IEC 27001 Compliance
The government could consider mandating compliance with ISO/IEC 27001, especially for critical infrastructure sectors such as public utility companies and government offices. This would involve:
- Risk Management: Ensuring that organizations implement an Information Security Management System (ISMS) in line with ISO/IEC 27001, which is a systematic approach to managing sensitive company information so that it remains secure.
- Continuous Improvement: Promoting the standard’s emphasis on continuous improvement, which requires regular reviews and updates to security practices.
To encourage organizations to become ISO/IEC 27001 certified, the government could:
- Provide Incentives: Offer tax incentives, subsidies, or other benefits to companies that achieve and maintain certification.
- Public Recognition: Publicly recognize organizations that adhere to the standard, thus incentivizing others through positive reinforcement.
Developing local expertise in ISO/IEC 27001 is key. The government can:
- Offer Training: Provide or subsidize training for businesses, especially small and medium-sized enterprises (SMEs), on how to implement the standards of ISO/IEC 27001.
- Support Certifications: Assist organizations in obtaining certification by offering guidance and resources.
Integrating ISO/IEC 27001 into National Regulations
When drafting or revising data protection legislation, the government could:
- Align with International Standards: Ensure that national regulations are harmonious with ISO/IEC 27001 standards, helping businesses to be compliant with both local laws and international best practices.
Enhancing the Legal Framework
As part of enforcing data privacy regulations, the state must:
- Legal Requirements: Incorporate ISO/IEC 27001 requirements into the legal framework, making certain aspects of the standard a legal requirement for data protection.
- Compliance Audits: Include ISO/IEC 27001 compliance checks in regular audits performed by a data protection authority or relevant regulatory bodies.
Implementing Compensation to Citizens for Data Breaches
Whereas the current Trinidad and Tobago Data Protection Act seeks to outline fines / penalties for companies who have been found in breach of the Act, it may be worthwhile to consider compensation to victims as part of the penalties. A similar approach to what happens in the UK with GDPR rules can be seen and adapted from here.
Supporting ISO/IEC 27001 in Public Sector
The government should lead by example by:
- Adopting ISO/IEC 27001: Implementing ISO/IEC 27001 within government agencies, especially those handling citizen data.
- Government Procurement: Requiring ISO/IEC 27001 compliance in government procurement processes, ensuring that vendors and service providers meet these security standards.
Fostering a Culture of Security
To promote a culture of security, the government can:
- Awareness Campaigns: Conduct national campaigns to raise awareness about the importance of information security and the role of standards like ISO/IEC 27001.
- Engaging Stakeholders: Hold regular stakeholder meetings to discuss challenges and share best practices related to ISO/IEC 27001 implementation.
By integrating ISO/IEC 27001 into the national approach to data governance and privacy, Trinidad and Tobago can significantly enhance its cybersecurity measures, build international trust, and protect its citizens’ data more effectively. This standard serves not only as a guideline for best practices but also as a benchmark for both local and international business engagements, promoting a safer digital environment for all stakeholders involved.