Privacy Changes Ahead
The past eighteen months have seen a whirlwind of activity regarding data privacy. In 2017, there were more than 1,500 significant data breaches (as reported by the Identity Theft Resource Center). The Equifax data breach in September 2017 and the misuse of Facebook user data by Cambridge Analytica may have been the most widely reported data breaches. The Equifax breach alone affected an estimated 143 million individuals, almost half of the U.S. population. The implementation of The General Data Protection Regulation (GDPR) in May 2018 and the passage of the California Consumer Privacy Act of 2018, which will become effective in January 2020, are rightly seen as the two biggest regulatory responses to these types of events.
In 2013, Target was breached and more than 40 million credit card numbers were compromised. The attention at that time was given to the security of card numbers. Overlooked however were the 70 million customer records containing personal data that were also compromised. At the time, the media focused on the stolen credit cards, glossing over the Personally Identifiable Information (PII) that was lost. Two years later, Anthem had over 80 million patient and employee records compromised. Again the story was around the industry as a whole protecting Protected Health Information (PHI) data as fortunately no credit card information was compromised.
Based on just these breaches alone, it’s clear that privacy concerns and the need for protecting consumer information should be a heightened focus. This reminds me of the “falling rocks” sign you see as you drive down the highway: you see the sign and know the potential danger, yet continue to drive, not slowing down, not changing lanes. You drive past it and never think of it again.
Regarding data privacy, the signs have been there: privacy and protecting consumer data presents a clear danger for companies, but most companies ignored the warnings. In fact, according to RSM’s recently released Cybersecurity Special Report, nearly 50 percent of midsize companies expect they will face unauthorized users attempting to breach their data or systems this year. Moreover, despite incidents of rising cybercrime, just half of the businesses surveyed carry cyber insurance policies to protect against internet-based risk.
Unfortunately, consumers are left to “trust” that companies are protecting their data, and are spending the appropriate amount of money to minimize the risks associated with using or storing PII data. In a free market, logic would conclude that consumers wouldn’t shop at a store/company again if a breach occurs. Unfortunately, consumers have been desensitized to these breaches, and despite fines and bad press, most companies continue to take a business-as-usual approach to security.
When the market will not regulate itself, the government (Federal and State) steps in to impose regulations, laws, and fines; thus, the California Consumer Privacy Act of 2018 was born. In economics this is called an externality. By definition, an externality is the cost or benefit that affects a party who did not choose to incur that cost of benefit. In short, consumers did not want their information leaked, thus insured a cost, whereby the companies that should be protecting that information have chosen not to adequately protect this information.
Companies can no longer ignore the risks associated with holding PII and should start to enhance their cybersecurity programs to protect this sensitive information. The old saying that, “you can have security without privacy, but cannot have privacy without security,” certainly applies. Unfortunately, many cybersecurity practitioners are not adequately trained on the privacy laws and regulations. Frequently, privacy is not considered when securing the organization. For example, most, if not all, retail organizations have had to implement controls to protect cardholder data in accordance with Payment Card Industry Data Security Standard (PCI-DSS) requirements. This includes segmenting networks, encrypting data and conducting store audits. However, most retail organizations never considered their consumers’ data. They didn’t ask who had access to this data, what they were doing to secure it, when they will remove it, where was it being stored, why they were collecting it and how they can limit collection. Instead, organizations adopted an omnichannel model, desiring more and more information about their consumer base to improve marketing.
The push for companies to retain even more data on consumers – and correlating this data to searches, spending habits, and potentially life events (births, home buying, etc.) – has taken control away from consumers and has led to this moment where governments must impose privacy and security requirements. In the near future, we anticipate additional legislation (State and possibly Federal) as consumers become more aware of the amount of data being collected and sold. We also expect consumers to begin pressuring lawmakers or possibly even take their business to companies that appear to be protecting customers’ privacy.
It is important that companies are prepared for the impact future privacy legislation will have on them. Not only are businesses going to need to fully understand processes around what data is being collected (how, where, for how long, where it is stored, where it goes, what third parties are involved and how it is deleted), they are also going to need to implement a plan for responding to consumer requests, amendments, complaints or other inquiries around this type of data. At RSM, we are advising our clients to start the following initiatives specifically to address California Consumer Privacy Act of 2018, but they are also critical in developing the baseline for any privacy obligations:
- Develop an asset inventory of all key devices that store, process and transmit sensitive data
- Document the flow of sensitive data in the business environment
- Consider alternative forms of service delivery
- Offer alternative methods for submitting data (e.g. toll-free telephone)
- Define the opt-out process for consumers
- Implement a privacy management system (document what data is collected, how it is processed and with whom it is shared)
- Update privacy policies (for employees and third parties)
- Determine the age of consent prior to interaction with a consumer
The rise of highly publicized breaches and louder cries for privacy rights likely make it inevitable that organizations will need to focus on data privacy. Getting a sense of your privacy data early will not only make it easier to comply with legislation, but also improve customer confidence.
About Ken Stasiak
Ken Stasiak is a principal in the security, privacy and risk practice of RSM. In that role, he is responsible for helping clients with remediation, implementation and managed services. Throughout his career, Stasiak has consulted with hundreds of companies on risk management in highly visible and regulated industries such as financial services, retail, high-tech and the energy sector.
Prior to joining RSM, Stasiak served as president, CEO and co-founder of SecureState, an information security assessment and protection consulting firm that was acquired by RSM in March 2018. Previously, he served as a manager at Arthur Anderson. He also held positions at a Big Four accounting firm, MarchFirst and Whittman-Hart.
Stasiak earned his EMBA from Northwestern University Kellogg School of Management. He holds a bachelor’s degree in accounting and an associate’s degree in computer programming from the University of Akron.
Stasiak holds various industry certifications, including CISSP, CISA, CGEIT and CISM, and has been featured on Bloomberg Businessweek, CNN, SIRIUS XM Satellite Radio, PBS, and Fox News for his expertise on information security.