Editorial N°18 – Our personal data always under threat: Law enforcement and data theft

In the age of Big Data, mass information gathering and theft of sensitive data, we are no longer sure whether we are protected. This “we” means the data, what defines us. Our personal data, such as our names, credit card numbers and addresses, pass through connected objects that we no longer trust. This growing mistrust of the Internet of Things is growing and even imminent, as attackers are cleverly trying to get hold of this data. Countless amounts of information are passing through the connected objects, and the laws governing their manufacture are newly developed or still under discussion. In the twilight of the labels, of the framework laws for the security of connected objects and of the first results of the GDPR, what is the current state of the protection of personal data?

Personal data is “marketed” by the Net Giants, with each click; we give out personal information without our knowledge. While inside households, our data is collected by our cameras, our connected doorbells or our voice assistants, EDF and ENGIE have recently been the subject of a formal notice due to the processing of personal data of Linky meter users. According to the CNIL, the collection of data from these meters is not in order and does not comply with certain requirements of the RGPD, in particular regarding the method of consent and the length of time this information is kept.

In the field of health, the patient/doctor relationship has literally evolved. It is no longer a question of medical care and treatment, but of data processing. Hospitals and health centers are not immune to cyberattacks and data theft. In November 2016, the Rouen University Hospital was attacked by a ransomware, paralyzing computers and internal services. With the certain digitization of patient data, healthcare staff manipulate sensitive information and carry it on connected objects, computers and tablets. The increase in cyberattacks on patient data shows us that this sector is not to be outdone.

Data is not only transported via connected objects, but also stored in the Cloud. The latest McAfee report (January 2020) highlighted that companies are facing a challenge in protecting data in the cloud. According to a usage analysis associated with its MVISION range of solutions: “91% do not encrypt inactive data” and “52% of organizations use at least one service that has already been the victim of a public data leak“. Wherever our data is, it is subject to cyberattacks.

What about the laws in place for data protection? Are new laws being put in place? After the GDPR and the Cyber Act, it is the turn of Washington legislators to introduce the “Washington Privacy Act” introduced in January 2020. This law is mainly aimed at consumer safety, similar to the California Consumer Privacy Act (CCPA). The Washington Privacy Act takes up concepts from the RGPD and notably requires control over consumer consent, particularly with regard to facial recognition.

Although legislation is being passed over the months, the security of our personal data is still threatened. It is now a question of raising awareness among healthcare personnel, users and manufacturers of connected objects.