Your Company Could Become The Next Big Privacy Scandal
2018 was the year of digital privacy awareness. Filled with publicity around the lack of any meaningful privacy in the digital realm, people learned they can no longer assume that large corporations have reliable custody of their personal data. Businesses, for their part, were set on high alert—or so we can hope—to ‘not be like Facebook’ with customers’ personal information.
Speaking of Facebook, last year saw the social media behemoth hemorrhaging one bad revelation after another. Most notably, the Guardian’s/New York Times’s exposure of the years-long Cambridge Analytica affair led to the demise of the latter. But not before 87 million personal profiles were compromised, Brexit was allegedly influenced, and Donald Trump’s 2015 presidential campaign purportedly benefited from social targeting based on said data.
Such “increased attention brought to digital privacy issues,” says cybersecurity expert Jake Hiller, motivates companies “to stop and think about how they handle the digital privacy of their client and employee data.” Rather than jumping on the “chastising bandwagon,”—a default response when it’s another company’s metaphoric derriere in the hot seat—“we should be looking at the reflection in the mirror.”
Subsequent to the Facebook imbroglio, Mr. Hiller has had “a few clients want to look at how to tighten up their security and change policies.” As the owner of IT and cybersecurity firm Intelitechs, Mr. Hiller consults a lot of Utah firms of various sizes. He says that “in general, Utah companies are ahead of the curve” regarding technology (including an awareness of the importance of digital privacy).
Mr. Hiller attributes Utah’s proactivity to the “Silicon Slopes” initiative, which brings “a lot of attention focused here in the tech space.” Whether or not Utah is really ahead of the curve, complacency is always the enemy, and Matt Lowe says that good digital hygiene requires continuous vigilance from companies. “Don’t ignore it and think that it doesn’t apply to you.”
Mr. Lowe serves as the executive vice president at MasterControl, a SaaS company that provides a suite of corporate governance and compliance tools across a variety of sectors. He says that “digital privacy has always been at the forefront to us,” but after the Facebook (and other) privacy disasters, the topic “has certainly garnered additional attention within our company.”
Safeguard Your Company
The European Union’s General Data Protection Regulation went into effect on May 25, 2018. Applicable to United States companies based in the EU, with subsidiaries in the EU, or who have customers in the EU, GDPR mandates such consumer safeguards as the following (not exhaustive): companies must immediately notify customers of any data breach, customers have a right to know exactly how their data is being collected and used, and customers have a ‘right to be forgotten,’ meaning they can have their data wiped from company records.
According to the Council on Foreign Relations, the US is long-overdue some regulatory clarity a la GDPR. “Companies need clearer rules,” they state in their scathing “Reforming the US Approach to Data Protection and Privacy” report. Whereas “comprehensive legal protection for personal data” is needed, “the United States has only a patchwork of sector-specific laws that fail to adequately protect data.”
“Most Western countries,” the report states, “have already adopted comprehensive legal protections.” Meanwhile, US firms “are saddled with contradictory and sometimes competing requirements” in the piecemeal legal landscape they’re forced to negotiate. Different laws apply to different industries, and each state then layers its own legal approach over. “These laws have different and sometimes incompatible provisions regarding what categories and types of personal information warrant protection,” says CFR’s report, or “which entities are covered.”
The legal playing field established by GDPR has made the EU “the focal point of the global dialogue on individual data privacy,” says the Council on Foreign Relations. With “other advanced economies, such as Canada, Israel, and Japan” adopting approaches “compatible with the EU’s GDPR,” United States companies could be “at a disadvantage globally.” Unless they proactively choose to meet GDPR-type standards. And, of course, many of them are already GDPR-compliant due to European business ties. Cody Broderick, founder and CEO of inWhatLanguage, says that his company has “implemented strict policies, technology, and authorizations in relation to the European GDPR.”
Many US companies, especially in consumer-data-intensive industries, get ISO 27001 certification. ISO 27001 is an internationally-recognized (ISO stands for International Standards Organization) information security accreditation that overlaps considerably with GDPR. Being an accreditation and not law, compliance is semi-optional. Semi because you may not be able to play in certain arenas without it, optional because, well, you won’t suffer government enforcement actions by allowing it to lapse. You’ll just lose credibility, and your competitors will make sure everyone knows that they hold a current ISO 27001 certification and you don’t.
If a company’s aiming for GDPR-level best practices, an ISO 27001 will be a good start. While ISO is “a set of best practices with a narrow focus on information security,” GDPR is “a global standard that provides a strategic vision.” This per Matt Middleton-Leal writing on the Netwrix blog in April 2018. Heck, if you want to go all-out, get your ISO 27001 certification and achieve GDPR compliance.
Even If You’re A Startup
If you’re one of the companies struggling just to stay afloat, of course, all of this compliance business tends to get short shrift. Startups, especially, can have a tough time of it. Given that most fail—and that the most common cause of death is insolvency before reaching profitability—a startup is always looking for ways to extend their financial runway. Investing money in compliance is usually not a top priority. “We struggle with the balancing act of setting up best practices” upfront, or “opting for simple,” says Jen Greyson, founder and CEO of software startup CO.CO.
Still, even startups need to plan for the future. “We also know we’re going to scale,” Ms. Greyson says, “and if we can implement protocols now… they’ll become culture.” There are also basic precautions any organization can take without adding much burden. Password managers, for example, help a team avoid common mistakes such as simple passwords, duplicated passwords, etc. “We’ve opted for solutions like LastPass,” Ms. Greyson says, “where we can hold enterprise passwords and share them based on positions and permissions on the team.”
Password managers such as Dashlane and LastPass range from free to reasonably-priced (I use Encryptr for free), and they all enable an organization, or an individual, to store and recall complex passwords. Granted, I once worked with a fellow who could remember thousands of individual passwords with no memory aids. We mere mortals, however, have three choices: duplicate passwords, write passwords down, or use a password manager. The former two methods are a recipe for having one’s systems breached. Use a password manager.
Especially If You Use The Internet
Each of us—even corporate bigwigs responsible for the personal data of millions—is also a vulnerable consumer whose data is at risk. And the practices for keeping one’s own data safe share much in common with corporate best practices.
Beyond using unique, complex passwords across all accounts, Mr. Hiller recommends that people and organizations “always, always, always use two-factor authentication.” Two-factor authentication, usually shortened to 2FA, forces an additional step beyond the common username-and-password login. Often, a site will text a code to your cell and present a text box into which you enter said code. But there are other types of 2FA as well. They’re not all equal in efficacy—or security.
It turns out that the text-message 2FA system can be compromised quite easily by a determined party. SIM cards can be ‘spoofed,’ which essentially means that hackers can make the cellular networks think they have your phone, and which allows them to receive your 2FA confirmation texts.
More secure are time-based one-time passwords (TOTP). These come via different methods. A common type of TOTP relies on apps such as Google Authenticator or Authy to generate a code on-the-fly. The code expires after 30 seconds, after which you’ll need the newest code.
Another type of TOTP uses a physical device which interacts with an app to generate a TOTP. If you don’t have possession of the device, you’re not accessing the account. (I use a Yubikey NEO.)
Most online services these days have a 2FA option. Facebook, Twitter, most banks, stock trading platforms, cryptocurrency exchanges, ecommerce sites all have it. If a major online service doesn’t have 2FA available, they’re woefully behind the times. And if they have 2FA available, you should be using it. In your personal life. At work. Everywhere.
Regardless of your relationship to data (yours and others’), digital privacy needs its due. “Don’t ignore it and think it doesn’t apply to you,” says Mr. Lowe. It does.