Data Privacy Day isn’t just about consumer awareness. Organizations have to maintain data privacy best practices to retain customers’ trust—and their business.
Today (Jan. 28) is Data Privacy Day, a day championed by the National Cyber Security Alliance focusing on privacy awareness and education. Most stories about Data Privacy Day are written for consumers and offer advice on cyber security best practices: Use better passwords. Turn on multifactor authentication. Be careful about the information you share on social media. And so on.
The assumption underlying all this advice is that consumers will keep doing business with the same organizations. Other than suggesting that people delete apps they don’t use, few experts have publicly recommended that consumers abandon companies that don’t protect their privacy. And most people are happy to exchange, say, a minute’s worth of location data for directions to the 10 closest coffee shops. That trade involves a tiny amount of privacy and a massive amount of convenience. It seems fair at the time.
But those tiny amounts of privacy add up. Organizations are using AI and machine learning to detect patterns and make predictions. They’re even sharing—and selling—data. And the increasingly insistent tone of public discourse on privacy indicates that people are finally getting concerned. Suddenly, the notion that consumers will simply stop doing business with organizations that violate their privacy isn’t so laughable.
Even if we put aside the ethical considerations, the regulatory consequences, and the potential fines, data privacy is good for business. And a key element of data privacy is data security. So in honor of Data Privacy Day, here are our top five stories on privacy and security from 2018.
Whatever else happened, 2018 was the year of GDPR. The General Data Protection Regulation outlines extensive security requirements for the protection of personal data, as well as massive potential penalties for violating them. After the regulation went into effect May 25, 2018, the first GDPR decision came within a week, and the first GDPR fine came in September.
In our coverage of Data Privacy Day last year, security strategist Taylor Armerding focused on the Internet of Things. It’s not just that our always-on, always-connected gadgets are collecting massive amounts of data that can be put together in myriad ways. It’s that the IoT security is particularly hard to do right, unless it’s built in at the very beginning.
There are a lot of ways an application can mishandle data. Data at rest (i.e., data that’s stored somewhere, as when it’s sitting in a database) is often the target of data breaches. But it’s not the only data at risk. Data in transit (i.e., data that’s being processed, as when it’s being entered into a database) must be protected as well.
The relationship between law enforcement and organizations that hold personal data is murky. The Supreme Court brought much-needed clarity to one aspect when it ruled that law enforcement’s obtaining location information from companies requires a search warrant. But that’s little comfort when that location information isn’t secure in the first place.
Sen. Ron Wyden, D-Ore., is one of the most outspoken proponents of securing and protecting personal data. And he’s proposed legislation to make sure it happens. Key features of his proposal include giving the FTC power to establish cyber security standards, impose fines similar to those outlined in GDPR, and require companies to evaluate their algorithms for fairness.