Lauren Connell, Managing Associate at The Volkov Law Group, rejoins us for a posting on data privacy and security. Lauren can be reached at firstname.lastname@example.org.
The terms “Data Privacy and Security” are being thrown around a lot lately. Just recently, England’s health services and medical facilities were shut-down and the target of a ransom note (demanding, of course, payment in bitcoin) to access blocked files. This is an extreme outcome, but the bad publicity and customer alienation from cyber-attacks are unfortunately familiar to many US companies, including Home Depot, Target, AshleyMadison.com, and Yahoo.
This problem is not going to go away. As our reliance on digital technology for every facet of business grows, the frequency with which cyber criminals attack, and succeed in those attacks, will only grow. Just like companies have developed robust procedures to keep their cash safe, businesses need to do the same for their data. This represents real risks with significant costs to companies. Compliance departments are best positioned to ensure that appropriate procedures and controls are in place.
Unfortunately, it is not as easy as hiring Brinks or Loomis to show up and put all your data in an armored, guarded vehicle for transport. Data security is multifaceted, an attack can come through a number of ways, and it is ongoing, as cyber criminals, like other types of criminals, are constantly evolving.
For a company, managing this area starts with first understanding the terms. Data privacy is what you promise your customers you do. If you promise that a picture is automatically erased and can never be viewed again, you had better make sure that your software actually does that. This is an area that the Federal Trade Commission has enforced in a number of actions against companies who promise privacy or security … but do not deliver.
In 2014, the FTC settled charges against Snapchat because Snapchat promised its users, among other things, that there was no way to view a picture after the allotted timer ran out. At the time, there were a number of third party apps that allowed picture recipients to download and save the photos for however long they wanted, sending videos resulted in storage for longer on the user’s phone, and, not to mention, the user could just take a screenshot. There were other areas the FTC cited, such as tracking location data despite promise not to, as well. Long story short, Snapchat’s promises misled consumers.
Snapchat did not receive a fine or admit fault, but did agree to an independent privacy monitor for the next 20 years – which is not free.
The FTC’s website contains a long list of data privacy enforcement actions that did not receive as much publicity as the Snapchat action, many of which resulted in fines in the millions of dollars. So, to comply with data privacy regulation, companies need to make sure that their products and information technology processes can actually deliver on what they promise.
Data security is a different matter. To manage data security, companies need to look inward. Data security covers how well your information technology infrastructure is protected. This means robust security protocols – such as making sure access to your server room is controlled, that your users frequently change their passwords, that your users are trained on how to avoid facilitating a breach by not clicking on malware, and making sure that your data is protected and encrypted at all stages: creation, transmission, and storage.
Large companies will be able to manage this in-house, but small and medium-sized companies will likely need to turn to outside vendors to make sure their information is safe. Data security does not just “happen.” Ensuring the safety of your data is a deliberate process that must be thought out and implemented just like any other compliance policy – with training and support to ensure that the procedures are “operationalized.”
The impact of poor data security can be significant – terrible publicity, loss of consumer confidence, high costs of remedying the problem (such as by offering identify theft protection to those whose information was released), and notification of all those affected. Not to mention it sucks of valuable management time in responding to a crises when it occurs.
The ransom attack on England’s health system is frightening because it shows the broad reach of cyber criminals and their willingness to do anything, even shut down hospitals, to accomplish their crime. Every CEO should take this occurrence as a stark warning and wake-up call – address data security before its too late.
Compliance professionals can do their part by including data privacy and security as a risk source for their organizations. Elevating this concern from the IT department to corporate-wide risk management personnel is the first step.