When talking about cybersecurity, there is logically significant focus on the technical side, but practical cybersecurity needs policy protection. When discussing standards and accreditations such as AES256, ISO 27001 or SOC2 Type II, these are important and part of what good solution providers should have, but there are other non-technical elements that are a necessary part of cybersecurity.
Policy is a dry topic and often only considered as an afterthought, but Company Policy for capturing, storage and handling data is incredibly important. This is the different side of Cybersecurity, dealing with the human and data elements. To illustrate, I’ll assume your company is using video data captured from an in-cab system as this is becoming more common in the transport industry and where DriveRisk has the most experience as a video safety provider.
Why Are You Capturing Data?
You should have a defined purpose for these systems. Typically, this will be ‘The in-cab video systems are a safety tool for capturing information in and around the vehicle to improve safety and assist with incident management’. This statement is an excellent start because it shows you plan to use the data, not just capture it. Unfortunately, we see all too often that fleets have DVR systems or dashcams that just capture data ‘in case we need it’. This approach has potentially very dangerous consequences. If you are capturing data that contains risky or unsafe practices AND you are not actively acting on these safety breeches, you are opening your company and the management to liability. To avoid this, ensure you have a well-defined purpose for your data capture.
What Data are You Capturing?
Video data is very rich and typically includes audio, GPS location and speed as well as engine data. Do you capture video inside the cab? If so, you are almost certainly capturing personally identifiable information and you will need to comply with the Commonwealth Privacy Act and the relevant surveillance legislation. This needs to be addressed in your policy and you need to inform your staff of these policies.
How are You Handling the Data?
Once this data is being recorded, you are responsible for this data in a universal sense. Your company will need to consider the management of this throughout its entire lifetime from capturing, to storage, to usage and finally deletion.
In the vehicle, how secure is the captured data on the device and the download process? With simple dashcam systems it is easy to remove the memory card and view the video on any computer. This is a major cybersecurity loophole. To protect you company, you need in vehicle systems that encrypt data on the device and provide a secure method of access. The optimal way is to have remote (4G/WiFi) data transmission to secure storage with tightly controlled user access.
In the office, your cybersecurity responsibilities are not over. You should have good user access management including policies and procedures for dealing with people joining or leaving your organisation including remote access to the in vehicle equipment, protected access to certain folders on the company file storage, remote VPN access to the office. You may have the need to decrypt the data for practical use such as insurance claims or incident reporting. This decrypted data also represents a cybersecurity risk to your business. Again, in your policies you need to clearly define when and why you are storing un-encrypted data and who has access. Is this unencrypted data permitted to be transmitted via email? The last thing you want to see is a video clip of one of your drivers on YouTube, if this is not managed properly.
How Much and How Long?
Another question that many companies do not consider is how much video should be downloaded from the vehicle. The policy needs to refer back to the purpose of the data. Are you capturing short videos of risky behaviours for use in safety coaching? If there is an incident, how much video do you keep before and after the event? What if there is a serious collision or fatality? This all needs to be well defined in policy and adhered to in practice as a failure on your company’s part can adversely affect you in a court case. The data and your policies help form a defensible position in court or conversely if done poorly can have the potential for this data to be dismissed as evidence.
Finally, when will you delete the data? Company data must generally be kept for five years and CoR legislation also requires your company to store data for a up to five years in certain circumstances. This needs to be included in your cybersecurity policy, but also what happens after this? How is this data purge policy monitored and executed? You may think it is OK to keep it for longer, but why? Just having data represents cybersecurity risks as you need to continue to secure it and control access.
The Bottom Line
Cybersecurity includes technology and policy. Make sure you have the data for a reason, you store it appropriately, have controls on the access and you delete it when no longer needed. Ensure your company policies is complete, is communicated to all your employees and you have a monitoring process in place to ensure the procedures are followed.
At DriveRisk, we talk to a lot of clients that are struggling with these issues. Please reach out to our team as we can help sort through the issues and put you on the right path for a secure and safe future. Our Risk Consultants are happy to help you to construct practical policies and assist you to get appropriate professional advice.
*Please Note: This article does not constitute legal advice but is general information on this topic.