Americans used to think of cybersecurity as something impacting major banks or governmental agencies. After all, hackers were typically launching missiles or stealing billions in James Bond Movies. The typical citizen never worried about someone accessing their personal information outside of their Social Security or credit card numbers.
So much has changed in just the last few years. The Federal Trade Commission (FTC) fined Google $22 million in 2012 for improperly using tracking cookies. The Target hack in 2013 was seen as an anomaly, resulting in a record-breaking $18.5 million legal settlement in 2017. Fast forward just a few years, and Facebook agreed to a $5 billion fine with the FTC. The company is also bracing for another billion-dollar fine from the European Union for violating the General Data Protection Regulation (GDPR). Equifax and the FTC came under fire because their data breach settlement was too lenient at $700 million. The Russian-based FaceApp took America by storm with the app’s advanced photo-aging technology. The uproar was even louder when users found out the program harvested their metadata across international lines and allowed the use of their name and photographs for commercial purposes.
Professor David Carroll stars in The Great Hack, a popular Netflix documentary about the Cambridge Analytica privacy breach that impacted the 2016 elections. He is shown on-screen buying coffee and surfing the web, with each movement highlighted as a new digital datapoint. While walking through the stylized environment, he summed up the changing private landscape: “I knew the data from our online activity wasn’t just evaporating. As I dug deeper, I realized these digital traces of ourselves are being mined into a trillion-dollar-a-year industry. We are now the commodity.”
It has become an era of data breaches. Breaches are costing businesses more money every year. Consumers have a new focus on their privacy. Hacks have moved out of James Bond plotlines and into national news and presidential campaigns.
Businesses big to small can no longer afford to ignore their information privacy practices, whether local, national, or international. With escalating fines, new foreign and domestic laws, potential lawsuits, and negative backlash from customers, organizations now have a fiduciary duty to protect personal information. Ignoring changes to their business practices risk severe reputational and financial damage.
Where should a business start?
Top decision-makers must decide how strongly they want to protect the personal information they collect from customers, employees, and consumers. The most important thing at this step is support and buy-in at the top of the company. Antiquated companies view data protection as an unnecessary cost. Forward-thinking organizations understand the risk and competitive advantage in privacy compliance. With the help of an information privacy professional or privacy attorney, these short, guiding statements will setup the program’s scope.
An attorney can help identify which privacy laws apply to the business. The United States has different privacy standards and laws that apply to different businesses. These include the FTC’s unfair and deceptive trade practices, Health Insurance Portability and Accountability Act of 1996 (HIPPA), The Financial Services Modernization Act of 1999, The Children’s Online Privacy Protection Rule (COPPA), 2018’s GDPR in the European Union, the upcoming California Consumer Privacy Act (CCPA), or specific state breach laws. Finally, the company needs to track where and how information is collected and what happens to the data.
Now, the privacy guidelines are set.
Protecting data is not limited to stopping hackers. Cambridge Analytica never hacked Facebook. If this were as easy as installing a firewall, every company would do it. Technical safeguards, like encryption and password protection, are important, but only part of the puzzle. Physical safeguards, including locks, security guards, and keycard access, can limit unauthorized access to laptops, flash drives, and other equipment that contains personal information. Administrative safeguards are easily the most significant protection. These focus on internal policies and procedures, including outlining physical and technical safeguards basics. These can limit what employee has access to what information, how privacy concerns should be involved with new goods and services, training and auditing, or what to do when an employee is fired or quits.
Most data breaches occur because of an employee or former employee. It can be as simple as a current employee accidentally clicking a hostile link through their email. A disgruntled employee can take as much business and personal information as possible before quitting in anticipation of setting up a competing company. Administrative safeguards include steps to limit these common issues.
It is easy to forget that hackers never breached Target’s login in the 2013 hack. Hackers phished Target’s refrigeration maintenance vendor, which allowed the hackers to install a Trojan virus, then access Target’s servers. Target was sued for failing to require privacy standards in third-party agreements, among other failures. Had Target established better administrative safeguards, the hackers would never have accessed their servers in the first place.
Changes big and small can limit the threat of a data breach, limit sending out embarrassing breach notifications, limit bad publicity, limit domestic and foreign fines, limit lost customers, and limit lawsuits. Many organizations, particularly tech and app developers, were able to operate under almost zero compliance requirements for years. After years of misuses, breaches, and poor practices, the law is finally catching up. Now businesses need to catch up to the new laws in the data breach era.